From: Andreas Geissler Date: Mon, 22 Apr 2024 15:14:43 +0000 (+0000) Subject: Merge "[AAI] Add model-loader tracing config" X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=refs%2Fheads%2Fmaster;hp=8c26e59d30a185186cf33988a0dbb859409f73eb Merge "[AAI] Add model-loader tracing config" --- diff --git a/.gitignore b/.gitignore index bb11f06df9..e7726292f1 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ kubernetes/common/dist/* Chart.lock **/charts/*.tgz *.orig +*_build # AAI Schema **/schema/* diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 980093a7a5..bcbafe5d5f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ repos: - id: trailing-whitespace #exclude: '^ordmodels/' - repo: https://github.com/jorisroovers/gitlint - rev: v0.17.0 + rev: v0.18.0 hooks: - id: gitlint stages: [commit-msg] diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 40e9e991d2..78491afc51 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -7,15 +7,15 @@ version: 2 build: - image: latest + os: ubuntu-20.04 + tools: + python: "3.8" + apt_packages: + - graphviz python: - version: 3.7 install: - requirements: docs/requirements-docs.txt -submodules: - include: all - sphinx: - configuration: docs/conf.py \ No newline at end of file + configuration: docs/conf.py diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e16772ddc1..f736f079e4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,36 +19,41 @@ limitations under the License. Thanks for taking the time to contribute to OOM! Please see some information on how to do it. -## How to become a contributor and submit your own code +## Local setup -### Environment setup -In order to be able to check on your side before submitting, you'll need to install some binaries: +### Install helm-push plugin -* helm (satisfying the targeted version as seen in [setup guide]( -docs/oom_cloud_setup_guide.rst#software-requirements)). -* chartmuseum (in order to push dependency charts) -* helm push (version 0.10.1 as of today) -* make +In order to push locally built charts to chartmuseum, the `helm-push` plugin must be installed. You can do that with: -### Linting and testing -OOM uses helm linting in order to check that the template rendering is correct with default values. +```sh +$ helm plugin install https://github.com/chartmuseum/helm-push +Downloading and installing helm-push v0.10.4 ... +https://github.com/chartmuseum/helm-push/releases/download/v0.10.3/helm-push_0.10.4_linux_amd64.tar.gz +Installed plugin: cm-push +``` -The first step is to start chartmuseum: +### Run chartmuseum ``` shell -nohup chartmuseum --storage="local" --storage-local-rootdir="/tmp/chartstorage" \ - --port 6464 & +mkdir -p charts && docker-compose up ``` or ``` shell -docker-compose up +nohup chartmuseum --storage="local" --storage-local-rootdir="/tmp/chartstorage" \ + --port 6464 & ``` -then you add a `local` repository to helm: +### Add a `local` chart repository + +OOM contains `make` files that build the charts and push them to the local chartmuseum. +For that to work, helm needs to know about the `local` helm repository. ```shell -helm repo remove local || helm repo add local http://localhost:6464 +helm repo remove local; helm repo add local http://localhost:6464 ``` +### Linting and testing +OOM uses helm linting in order to check that the template rendering is correct with default values. + As full rendering may be extremely long (~9h), you may only want to lint the common part and the component you're working on. Here's an example with AAI: ```shell diff --git a/TOSCA/ONAP_TOSCA/onap_tosca.yaml b/TOSCA/ONAP_TOSCA/onap_tosca.yaml index e63901d35f..46e6ffa966 100644 --- a/TOSCA/ONAP_TOSCA/onap_tosca.yaml +++ b/TOSCA/ONAP_TOSCA/onap_tosca.yaml @@ -50,7 +50,7 @@ node_templates: chart-version: { get_input: chart-version } namespace: { get_input: namespace } stable-repo-url: { get_input: stable-repo-url} - config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "appc": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vid": {"enabled": false}, "vnfsdk": {"enabled": false} }' + config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vnfsdk": {"enabled": false} }' aaf: type: onap.nodes.component @@ -80,20 +80,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - appc: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: appc - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - clamp: type: onap.nodes.component properties: @@ -389,20 +375,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - vid: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: vid - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - vnfsdk: type: onap.nodes.component properties: diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000000..091cbca86c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,13 @@ +version: '3' +services: + chartmuseum: + image: ghcr.io/helm/chartmuseum:v0.16.0 + ports: + - 6464:8080 + volumes: + - ./charts:/charts + environment: + PORT: 8080 + DEBUG: 1 + STORAGE: local + STORAGE_LOCAL_ROOTDIR: /charts \ No newline at end of file diff --git a/docs/archived/certs/hardcoded_certificates.csv b/docs/archived/certs/hardcoded_certificates.csv index fbc7db3e11..83c761e582 100644 --- a/docs/archived/certs/hardcoded_certificates.csv +++ b/docs/archived/certs/hardcoded_certificates.csv @@ -6,8 +6,6 @@ AAI/SEARCH-DATA,Yes,No,No,aai/oom/components/aai-search-data/resources/config/au AAI/SPARKY-BE,Yes,No,No,aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 AAI/BABEL,No,Yes,No,aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore AAI/MODEL-LOADER,Yes,Yes,No,aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.keyfile -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.p12 certInitializer,Yes,No,No,kubernetes/common/certInitializer/resources DMaaP/MR,Yes,No,No,Hardcoded in container HOLMES,No,Yes,No,Hardcoded in container diff --git a/docs/archived/yaml/example-integration-override-v3.yaml b/docs/archived/yaml/example-integration-override-v3.yaml index a55b1c08fc..2c2742cc70 100644 --- a/docs/archived/yaml/example-integration-override-v3.yaml +++ b/docs/archived/yaml/example-integration-override-v3.yaml @@ -4,8 +4,6 @@ robot: enabled: true flavor: large - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" # KEYSTONE Version 3 Required for Rocky and beyond openStackKeystoneAPIVersion: "v3" # OS_AUTH_URL without the /v3 from the openstack .RC file @@ -54,16 +52,3 @@ so: openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" # use the SO Java utility to encrypt the OS_PASSWORD for the OS_USERNAME openStackEncryptedPasswordHere: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" -appc: - enabled: true - replicaCount: 3 - config: - enableClustering: true - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" - openStackServiceTenantName: "OPENSTACK_PROJECT_NAME_HERE" - openStackDomain: "OPEN_STACK_DOMAIN_NAME_HERE" - openStackUserName: "OS_USER_NAME_HERE" - openStackEncryptedPassword: "OPENSTACK_CLEAR_TEXT_PASSWORD_HERE" diff --git a/docs/archived/yaml/example-integration-override.yaml b/docs/archived/yaml/example-integration-override.yaml index 5eeee5e2f5..46e18fce8f 100644 --- a/docs/archived/yaml/example-integration-override.yaml +++ b/docs/archived/yaml/example-integration-override.yaml @@ -1,21 +1,7 @@ ################################################################# # This override file configures openstack parameters for ONAP ################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - # OS_USER_DOMAIN_NAME from the openstack .RC file - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" # OS_AUTH_URL without the /v2.0 from the openstack .RC file openStackKeyStoneUrl: "http://10.12.25.2:5000" # From openstack network list output diff --git a/docs/conf.py b/docs/conf.py index 29c57e6da0..16ad9a9fc8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,6 +1,6 @@ project = "onap" -release = "kohn" -version = "kohn" +release = "master" +version = "master" author = "Open Network Automation Platform" # yamllint disable-line rule:line-length @@ -32,7 +32,7 @@ exclude_patterns = ['archived/*.rst', '.tox'] # Change to {releasename} after you have created the new 'doc' branch. # -branch = 'kohn' +branch = 'master' intersphinx_mapping = {} doc_url = 'https://docs.onap.org/projects' @@ -55,5 +55,7 @@ def setup(app): linkcheck_ignore = [ "https://istio-release.storage.googleapis.com/charts", + "https://charts.bitnami.com/bitnami", + "https://codecentric.github.io/helm-charts", r'http://localhost:\d+/' ] diff --git a/docs/conf.yaml b/docs/conf.yaml deleted file mode 100644 index 11eaff6045..0000000000 --- a/docs/conf.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -project_cfg: onap -project: onap - -# Change this to ReleaseBranchName to modify the header -default-version: kohn -# diff --git a/docs/index.rst b/docs/index.rst index 7a1d52b2ff..e889e0664c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,7 +13,7 @@ OOM Documentation Repository sections/oom_project_description.rst sections/guides/development_guides/oom_development.rst - sections/guides/infra_guides/oom_infra_setup.rst + sections/guides/infra_guides/oom_infra.rst sections/guides/deployment_guides/oom_deployment.rst sections/guides/user_guides/oom_user_guide.rst sections/guides/access_guides/oom_access_info.rst diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt index 9c104de61c..be92e5dcea 100644 --- a/docs/requirements-docs.txt +++ b/docs/requirements-docs.txt @@ -6,3 +6,4 @@ sphinxcontrib-swaggerdoc sphinxcontrib-spelling sphinxcontrib-plantuml sphinx_toolbox>=3.2.0 +six \ No newline at end of file diff --git a/docs/sections/guides/access_guides/oom_access_info.rst b/docs/sections/guides/access_guides/oom_access_info.rst index 4e9866725e..ebc2f65104 100644 --- a/docs/sections/guides/access_guides/oom_access_info.rst +++ b/docs/sections/guides/access_guides/oom_access_info.rst @@ -15,10 +15,43 @@ OOM Access Info .. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png :align: right -Access via NodePort/Loadbalancer -******************************** +Access via Ingress (production) +******************************* -The ONAP deployment created by OOM operates in a private IP network that isn't +Using Ingress as access method requires the installation of an Ingress +controller and the configuration of the ONAP deployment to use it. + +For "ONAP on ServiceMesh" you can find the instructions in: + +- :ref:`oom_base_optional_addons` +- :ref:`oom_customize_overrides` + +In the ServiceMesh deployment the Istio IngressGateway is the only access point +for ONAP component interfaces. +Usually the Ingress is accessed via a LoadBalancer IP (), +which is used as central address. +All APIs/UIs are provided via separate URLs which are routed to the component service. +To use these URLs they need to be resolvable via DNS or via /etc/hosts. + +The domain name is usually defined in the `global` section of the ONAP helm-charts, +`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of +the service (e.g. "sdc-fe-ui") is defined in the component's chart. + +.. code-block:: none + + kiali.simpledemo.onap.org + cds-ui.simpledemo.onap.org + sdc-fe-ui.simpledemo.onap.org + ... + +To access e.g. the SDC UI now the new ssl-encrypted URL: + +``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` + +Access via NodePort/Loadbalancer (development) +********************************************** + +In the development setop OOM operates in a private IP network that isn't publicly accessible (i.e. OpenStack VMs with private internal network) which blocks access to the ONAP User Interfaces. To enable direct access to a service from a user's own environment (a laptop etc.) @@ -34,56 +67,32 @@ Kubernetes node. When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object which gets a separate IP address. -.. note:: - The following example uses the `ONAP Portal`, which is not actively maintained - in Kohn and will be replaced in the future - -When e.g. the `portal-app` chart is deployed a Kubernetes service is created that +When e.g. the `sdc-fe` chart is deployed a Kubernetes service is created that instantiates a load balancer. The LB chooses the private interface of one of the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). Then to be able to access the portal on port 8989 from outside the K8s & OpenStack environment, the user needs to assign/get the floating IP address that corresponds to the private IP as follows:: - > kubectl -n onap get services|grep "portal-app" - portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev + > kubectl -n onap get services|grep "sdc-fe" + sdc-fe LoadBalancer 10.43.142.201 10.0.0.4 8181:30207/TCP -In this example, use the 11.0.0.4 private address as a key find the +In this example, use the 10.0.0.4 private address as a key find the corresponding public address which in this example is 10.12.6.155. If you're using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI for your tenant (openstack server list). That IP is then used in your `/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown below:: - 10.12.6.155 portal.api.simpledemo.onap.org - 10.12.6.155 vid.api.simpledemo.onap.org - 10.12.6.155 sdc.api.fe.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org - 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org - 10.12.6.155 portal-sdk.simpledemo.onap.org - 10.12.6.155 policy.api.simpledemo.onap.org - 10.12.6.155 aai.api.sparky.simpledemo.onap.org - 10.12.6.155 cli.api.simpledemo.onap.org - 10.12.6.155 msb.api.discovery.simpledemo.onap.org - 10.12.6.155 msb.api.simpledemo.onap.org - 10.12.6.155 clamp.api.simpledemo.onap.org - 10.12.6.155 so.api.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org + 10.43.142.201 sdc.fe.simpledemo.onap.org Ensure you've disabled any proxy settings the browser you are using to access the portal and then simply access now the new ssl-encrypted URL: -``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm`` +``http://sdc.fe.simpledemo.onap.org:30207sdc1/portal`` .. note:: - Using the HTTPS based Portal URL the Browser needs to be configured to accept - unsecure credentials. - Additionally when opening an Application inside the Portal, the Browser - might block the content, which requires to disable the blocking and reloading - of the page - -.. note:: - Besides the ONAP Portal the Components can deliver additional user interfaces, + Besides the ONAP SDC the Components can deliver additional user interfaces, please check the Component specific documentation. .. note:: @@ -141,36 +150,3 @@ Kubernetes command: kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}' - -(Optional) Access via Ingress -***************************** - -Using Ingress as access method requires the installation of an Ingress -controller and the configuration of the ONAP deployment to use it. - -For "ONAP on ServiceMesh" you can find the instructions in: - -- :ref:`oom_base_optional_addons` -- :ref:`oom_customize_overrides` - -In the ServiceMesh deployment the Istio IngressGateway is the only access point -for ONAP component interfaces. -Usually the Ingress is accessed via a LoadBalancer IP (), -which is used as central address. -All APIs/UIs are provided via separate URLs which are routed to the component service. -To use these URLs they need to be resolvable via DNS or via /etc/hosts. - -The domain name is usually defined in the `global` section of the ONAP helm-charts, -`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of -the service (e.g. "sdc-fe-ui") is defined in the component's chart. - -.. code-block:: none - - kiali.simpledemo.onap.org - cds-ui.simpledemo.onap.org - sdc-fe-ui.simpledemo.onap.org - ... - -To access e.g. the SDC UI now the new ssl-encrypted URL: - -``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst index a49543cc0c..a5458f8562 100644 --- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -23,7 +23,7 @@ See the `helm deploy`_ plugin usage section for more detail, or it the plugin ha Users can customize the override files to suit their required deployment. .. note:: - Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`) + Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. * Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags. @@ -32,7 +32,8 @@ Users can customize the override files to suit their required deployment. Enabling/Disabling Components -***************************** +============================= + Here is an example of the nominal entries that need to be provided. Different values files are available for different contexts. @@ -43,26 +44,58 @@ Different values files are available for different contexts. | -(Optional) "ONAP on Service Mesh" -********************************* +ONAP "Production" Setup +======================= + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +For external access we start to establish Authentication via Oauth2-proxy +and Keycloak, which will be completed in the coming release. + +To enable both "ServiceMesh" and "Ingress" configuration entries need +to be set before deployment. -To enable "ONAP on Service Mesh" both "ServiceMesh" and "Ingress" -configuration entries need to be configured before deployment. +Service Mesh and Ingress configuration +-------------------------------------- -Global settings relevant for ServiceMesh: +Global settings relevant for ServiceMesh and Ingress: .. code-block:: yaml global: ingress: # generally enable ingress for ONAP components - enabled: false + enabled: true # enable all component's Ingress interfaces enable_all: false + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + # default Ingress base URL - # can be overwritten in component by setting ingress.baseurlOverride + # All http requests via ingress will be redirected virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" # All http requests via ingress will be redirected on Ingress controller # only valid for Istio Gateway (ServiceMesh enabled) config: @@ -80,6 +113,7 @@ Global settings relevant for ServiceMesh: tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + ... aafEnabled: false cmpv2Enabled: false tlsEnabled: false @@ -99,12 +133,39 @@ Ingress settings: - enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) - enable_all: true → enables Ingress configuration in each component +- provider: "..." → sets the Ingress provider (ingress, istio, gw-api) +- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik +- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress" +- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names - virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride +- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components, + resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride +- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components, + resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride - config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443) - config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret - namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate .. note:: - For "ONAP on Istio" an example override file (`onap-all-ingress-istio.yaml`) + For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. + +External Authentication configuration +------------------------------------- + +For enabling of external authentication via Oauth2-Proxy and Keycloak +the following settings have to be done in the ONAP values override. +It will enable the deployment of the ONAP Realm to Keycloak and +installation and integration of the Oauth2-Proxy as external Auth-Provider. + +.. code-block:: yaml + + platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true \ No newline at end of file diff --git a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst index 50701dd597..b0deff0e2b 100644 --- a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst @@ -33,11 +33,7 @@ tools to host the updated helm charts. Chart museum is required to host the helm charts locally when deploying in a development environment:: - > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum - - > chmod +x ./chartmuseum - - > mv ./chartmuseum /usr/local/bin + > curl https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum | bash **Step 4.** To setup a local Helm server to store the ONAP charts:: diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst index f932360e44..e7dc2f0a35 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst @@ -32,7 +32,7 @@ Add the repository: To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. -- To deploy a release, execute the following, substituting the tag with your preferred release (ie. 11.0.0):: +- To deploy a release, execute the following, substituting the tag with your preferred release (ie. 13.0.0):: > helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version -f oom/kubernetes/onap/resources/overrides/onap-all.yaml diff --git a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst index a0dafcef9b..e9312382b3 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst @@ -17,7 +17,7 @@ ONAP hosts the OOM `testing` helm charts in it's `ONAP helm testing repository`_ This is helm repo contains: * The `latest` charts built from the head of the `OOM`_ project's master - branch, tagged with the version number of the current development cycle (ie. 11.0.0). + branch, tagged with the version number of the current development cycle (ie. 12.0.0). Add the OOM testing repo & Deploy diff --git a/docs/sections/guides/infra_guides/oom_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_base_config_setup.rst deleted file mode 100644 index d228f5df56..0000000000 --- a/docs/sections/guides/infra_guides/oom_base_config_setup.rst +++ /dev/null @@ -1,187 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements -.. _helm installation guide: https://helm.sh/docs/intro/install/ -.. _kubectl installation guide: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ -.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts -.. _Cert-Manager Installation documentation: https://cert-manager.io/docs/installation/kubernetes/ -.. _Cert-Manager kubectl plugin documentation: https://cert-manager.io/docs/usage/kubectl-plugin/ -.. _Strimzi Apache Kafka Operator helm Installation documentation: https://strimzi.io/docs/operators/in-development/deploying.html#deploying-cluster-operator-helm-chart-str - -.. _oom_base_setup_guide: - -OOM Base Platform -################# - -As part of the initial base setup of the host Kubernetes cluster, -the following mandatory installation and configuration steps must be completed. - -.. contents:: - :backlinks: top - :depth: 1 - :local: -.. - -For additional platform add-ons, see the :ref:`oom_base_optional_addons` section. - -Install & configure kubectl -*************************** -The Kubernetes command line interface used to manage a Kubernetes cluster needs to be installed -and configured to run as non root. - -For additional information regarding kubectl installation and configuration see the `kubectl installation guide`_ - -To install kubectl, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > curl -LO https://dl.k8s.io/release/v/bin/linux/amd64/kubectl - - > chmod +x ./kubectl - - > sudo mv ./kubectl /usr/local/bin/kubectl - - > mkdir ~/.kube - - > cp kube_config_cluster.yml ~/.kube/config.onap - - > export KUBECONFIG=~/.kube/config.onap - - > kubectl config use-context onap - -Validate the installation:: - - > kubectl get nodes - -:: - - NAME STATUS ROLES AGE VERSION - onap-control-1 Ready controlplane,etcd 3h53m v1.23.8 - onap-control-2 Ready controlplane,etcd 3h53m v1.23.8 - onap-k8s-1 Ready worker 3h53m v1.23.8 - onap-k8s-2 Ready worker 3h53m v1.23.8 - onap-k8s-3 Ready worker 3h53m v1.23.8 - onap-k8s-4 Ready worker 3h53m v1.23.8 - onap-k8s-5 Ready worker 3h53m v1.23.8 - onap-k8s-6 Ready worker 3h53m v1.23.8 - - -Install & configure helm -************************ -Helm is used for package and configuration management of the relevant helm charts. -For additional information, see the `helm installation guide`_ - -To install helm, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > wget https://get.helm.sh/helm-v-linux-amd64.tar.gz - - > tar -zxvf helm-v-linux-amd64.tar.gz - - > sudo mv linux-amd64/helm /usr/local/bin/helm - -Verify the helm version with:: - - > helm version - -Helm's default CNCF provided `Curated applications for Kubernetes`_ repository called -*stable* can be removed to avoid confusion:: - - > helm repo remove stable - -Install the additional OOM plugins required to un/deploy the OOM helm charts:: - - > git clone http://gerrit.onap.org/r/oom - - > cp -R ~/oom/kubernetes/helm/plugins/ /usr/local/bin/helm/plugins - -Verify the plugins are installed:: - - > helm plugin ls - -:: - - NAME VERSION DESCRIPTION - deploy 1.0.0 install (upgrade if release exists) parent charty and all subcharts as separate but related releases - undeploy 1.0.0 delete parent chart and subcharts that were deployed as separate releases - - -Install the strimzi kafka operator -********************************** -Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on Kubernetes -in various deployment configurations by using kubernetes operators. -Operators are a method of packaging, deploying, and managing Kubernetes applications. - -Strimzi Operators extend the Kubernetes functionality, automating common -and complex tasks related to a Kafka deployment. By implementing -knowledge of Kafka operations in code, the Kafka administration -tasks are simplified and require less manual intervention. - -The Strimzi cluster operator is deployed using helm to install the parent chart -containing all of the required custom resource definitions. This should be done -by a kubernetes administrator to allow for deployment of custom resources in to -any kubernetes namespace within the cluster. - -Full installation instructions can be found in the -`Strimzi Apache Kafka Operator helm Installation documentation`_. - -To add the required helm repository, execute the following:: - - > helm repo add strimzi https://strimzi.io/charts/ - -To install the strimzi kafka operator, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version --set watchAnyNamespace=true --create-namespace - -Verify the installation:: - - > kubectl get po -n strimzi-system - -:: - - NAME READY STATUS RESTARTS AGE - strimzi-cluster-operator-7f7d6b46cf-mnpjr 1/1 Running 0 2m - - -Install Cert-Manager -******************** - -Cert-Manager is a native Kubernetes certificate management controller. -It can help with issuing certificates from a variety of sources, such as -Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, self -signed or external issuers. It ensures certificates are valid and up to -date, and attempt to renew certificates at a configured time before expiry. - -Cert-Manager is deployed using regular YAML manifests which include all -the needed resources (the CustomResourceDefinitions, cert-manager, -namespace, and the webhook component). - -Full installation instructions, including details on how to configure extra -functionality in Cert-Manager can be found in the -`Cert-Manager Installation documentation`_. - -There is also a kubectl plugin (kubectl cert-manager) that can help you -to manage cert-manager resources inside your cluster. For installation -steps, please refer to `Cert-Manager kubectl plugin documentation`_. - - -To install cert-manager, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v/cert-manager.yaml - -Verify the installation:: - - > kubectl get po -n cert-manager - -:: - - NAME READY STATUS RESTARTS AGE - cert-manager-776c4cfcb6-vgnpw 1/1 Running 0 2m - cert-manager-cainjector-7d9668978d-hdxf7 1/1 Running 0 2m - cert-manager-webhook-66c8f6c75-dxmtz 1/1 Running 0 2m - diff --git a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst deleted file mode 100644 index 5f81a363e9..0000000000 --- a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst +++ /dev/null @@ -1,182 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#readme -.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 -.. _Istio best practices: https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/namespaces/ -.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ -.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ - -.. _oom_base_optional_addons: - -OOM Optional Addons -################### - -The following optional applications can be added to your kubernetes environment. - -Install Prometheus Stack -************************ - -Prometheus is an open-source systems monitoring and alerting toolkit with -an active ecosystem. - -Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana -dashboards, and Prometheus rules combined with documentation and scripts to -provide easy to operate end-to-end Kubernetes cluster monitoring with -Prometheus using the Prometheus Operator. As it includes both Prometheus -Operator and Grafana dashboards, there is no need to set up them separately. -See the `Prometheus stack README`_ for more information. - -To install the prometheus stack, execute the following: - -- Add the prometheus-community Helm repository:: - - > helm repo add prometheus-community https://prometheus-community.github.io/helm-charts - -- Update your local Helm chart repository cache:: - - > helm repo update - -- To install prometheus, execute the following, replacing the with the version defined in the :ref:`versions_table` table:: - - > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version= - -ONAP on Service Mesh -******************** - -.. warning:: - "ONAP on Service Mesh" is not fully supported in "Kohn". Full support is - planned for London release to support the - `ONAP Next Generation Security & Logging Structure`_ - -.. figure:: ../../resources/images/servicemesh/ServiceMesh.png - :align: center - -ONAP is currenty planned to support Istio as default ServiceMesh platform. -Therefor the following instructions describe the setup of Istio and required tools. -Used `Istio best practices`_ and `Istio setup guide`_ - -Istio Platform Installation -=========================== - -Install Istio Basic Platform ----------------------------- - -- Configure the Helm repository:: - - > helm repo add istio https://istio-release.storage.googleapis.com/charts - - > helm repo update - -- Create a namespace for "mesh-level" configurations:: - - > kubectl create namespace istio-config - -- Create a namespace istio-system for Istio components:: - - > kubectl create namespace istio-system - -- Install the Istio Base chart which contains cluster-wide resources used by the - Istio control plane, replacing the with the version - defined in the :ref:`versions_table` table:: - - > helm upgrade -i istio-base istio/base -n istio-system --version - -- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the - with the version defined in the :ref:`versions_table` table - (enable the variable to enforce the (sidecar) proxy startup before the container start):: - - > helm upgrade -i istiod istio/istiod -n istio-system --version - --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config - -Add an EnvoyFilter for HTTP header case ---------------------------------------- - -When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase. -While this is compliant with the HTTP/1.1 spec, in practice this can result in issues -when migrating existing systems that might rely on specific header casing. -In our case a problem was detected in the SDC client implementation, which relies on -uppercase header values. To solve this problem in general we add a EnvoyFilter to keep -the uppercase header in the istio-config namespace to apply for all namespaces, but -set the context to SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and Services - -- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) - - .. collapse:: envoyfilter-case.yaml - - .. include:: ../../resources/yaml/envoyfilter-case.yaml - :code: yaml - -- Apply the change to Istio:: - - > kubectl apply -f envoyfilter-case.yaml - -Install Istio Gateway ---------------------- - -- Create a namespace istio-ingress for the Istio Ingress gateway - and enable istio-injection:: - - > kubectl create namespace istio-ingress - - > kubectl label namespace istio-ingress istio-injection=enabled - -- Install the Istio Gateway chart,replacing the - with the version defined in - the :ref:`versions_table` table:: - - > helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress - --version --wait - -Kiali Installation -================== - -Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster -For setup the kiali operator is used, see `Kiali setup guide`_ - -- Install kiali-operator namespace:: - - > kubectl create namespace kiali-operator - - > kubectl label namespace kiali-operator istio-injection=enabled - -- Install the kiali-operator:: - - > helm repo add kiali https://kiali.org/helm-charts - - > helm repo update kiali - - > helm install --namespace kiali-operator kiali/kiali-operator - -- Create Kiali CR file (e.g. kiali.yaml) - - .. collapse:: kiali.yaml - - .. include:: ../../resources/yaml/kiali.yaml - :code: yaml - -- Install kiali:: - - > kubectl apply -f kiali.yaml - -- Create Ingress gateway entry for the kiali web interface - using the configured Ingress (here "simpledemo.onap.org") - as described in :ref:`oom_customize_overrides` - - .. collapse:: kiali-ingress.yaml - - .. include:: ../../resources/yaml/kiali-ingress.yaml - :code: yaml - -- Add the Ingress entry for Kiali:: - - > kubectl -n istio-system apply -f kiali-ingress.yaml - - -Jaeger Installation -=================== - -To be done... \ No newline at end of file diff --git a/docs/sections/guides/infra_guides/oom_infra.rst b/docs/sections/guides/infra_guides/oom_infra.rst new file mode 100644 index 0000000000..5c1d1f1434 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra.rst @@ -0,0 +1,33 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ + + +.. _oom_infra_guide: + +OOM Infrastructure Guide +======================== + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the +creation of this cluster is outside of the scope of the OOM project as there +are many options including public clouds with pre-established environments. +If creation of a Kubernetes cluster is required, the life-cycle of this +cluster is independent of the life-cycle of the ONAP components themselves. + +For more information about functionality and processes please refer to the +following documents: + +.. toctree:: + :maxdepth: 1 + + oom_infra_deployment_options.rst + oom_infra_deployment_requirements.rst + oom_infra_base_config_setup.rst + oom_infra_optional_addons.rst diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst new file mode 100644 index 0000000000..f25f4e716c --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -0,0 +1,408 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements +.. _helm installation guide: https://helm.sh/docs/intro/install/ +.. _kubectl installation guide: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ +.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts +.. _Cert-Manager Installation documentation: https://cert-manager.io/docs/installation/kubernetes/ +.. _Cert-Manager kubectl plugin documentation: https://cert-manager.io/docs/usage/kubectl-plugin/ +.. _Strimzi Apache Kafka Operator helm Installation documentation: https://strimzi.io/docs/operators/in-development/deploying.html#deploying-cluster-operator-helm-chart-str +.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Gateway-API: https://gateway-api.sigs.k8s.io/ +.. _Istio-Gateway: https://istio.io/latest/docs/reference/config/networking/gateway/ +.. _DefaultStorageClass: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/ + +.. _oom_base_setup_guide: + +OOM Base Platform +================= + +As part of the initial base setup of the host Kubernetes cluster, +the following mandatory installation and configuration steps must be completed. + +.. contents:: + :backlinks: top + :depth: 1 + :local: +.. + +For additional platform add-ons, see the :ref:`oom_base_optional_addons` section. + +Install & configure kubectl +--------------------------- + +The Kubernetes command line interface used to manage a Kubernetes cluster needs to be installed +and configured to run as non root. + +For additional information regarding kubectl installation and configuration see the `kubectl installation guide`_ + +To install kubectl, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > curl -LO https://dl.k8s.io/release/v/bin/linux/amd64/kubectl + + > chmod +x ./kubectl + + > sudo mv ./kubectl /usr/local/bin/kubectl + + > mkdir ~/.kube + + > cp kube_config_cluster.yml ~/.kube/config.onap + + > export KUBECONFIG=~/.kube/config.onap + + > kubectl config use-context onap + +Validate the installation:: + + > kubectl get nodes + +:: + + NAME STATUS ROLES AGE VERSION + onap-control-1 Ready controlplane,etcd 3h53m v1.27.5 + onap-control-2 Ready controlplane,etcd 3h53m v1.27.5 + onap-k8s-1 Ready worker 3h53m v1.27.5 + onap-k8s-2 Ready worker 3h53m v1.27.5 + onap-k8s-3 Ready worker 3h53m v1.27.5 + onap-k8s-4 Ready worker 3h53m v1.27.5 + onap-k8s-5 Ready worker 3h53m v1.27.5 + onap-k8s-6 Ready worker 3h53m v1.27.5 + + +Install & configure helm +------------------------ + +Helm is used for package and configuration management of the relevant helm charts. +For additional information, see the `helm installation guide`_ + +To install helm, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > wget https://get.helm.sh/helm-v-linux-amd64.tar.gz + + > tar -zxvf helm-v-linux-amd64.tar.gz + + > sudo mv linux-amd64/helm /usr/local/bin/helm + +Verify the helm version with:: + + > helm version + +Helm's default CNCF provided `Curated applications for Kubernetes`_ repository called +*stable* can be removed to avoid confusion:: + + > helm repo remove stable + +Install the additional OOM plugins required to un/deploy the OOM helm charts:: + + > git clone http://gerrit.onap.org/r/oom + + > helm plugin install ~/oom/kubernetes/helm/plugins/deploy + + > helm plugin install ~/oom/kubernetes/helm/plugins/undeploy + +Verify the plugins are installed:: + + > helm plugin ls + +:: + + NAME VERSION DESCRIPTION + deploy 1.0.0 install (upgrade if release exists) parent chart and all subcharts as separate but related releases + undeploy 1.0.0 delete parent chart and subcharts that were deployed as separate releases + +Set the default StorageClass +---------------------------- + +In some ONAP components it is important to have a default storageClass defined (e.g. cassandra), +if you don't want to explicitly set it during the deployment via helm overrides. + +Therefor you should set the default storageClass (if not done during the K8S cluster setup) via the command:: + + > kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' + +see `DefaultStorageClass`_ + +Install the Strimzi Kafka Operator +---------------------------------- + +Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on Kubernetes +in various deployment configurations by using kubernetes operators. +Operators are a method of packaging, deploying, and managing Kubernetes applications. + +Strimzi Operators extend the Kubernetes functionality, automating common +and complex tasks related to a Kafka deployment. By implementing +knowledge of Kafka operations in code, the Kafka administration +tasks are simplified and require less manual intervention. + +The Strimzi cluster operator is deployed using helm to install the parent chart +containing all of the required custom resource definitions. This should be done +by a kubernetes administrator to allow for deployment of custom resources in to +any kubernetes namespace within the cluster. + +Full installation instructions can be found in the +`Strimzi Apache Kafka Operator helm Installation documentation`_. + +To add the required helm repository, execute the following:: + + > helm repo add strimzi https://strimzi.io/charts/ + +To install the strimzi kafka operator, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version --set watchAnyNamespace=true --create-namespace + +Verify the installation:: + + > kubectl get po -n strimzi-system + +:: + + NAME READY STATUS RESTARTS AGE + strimzi-cluster-operator-7f7d6b46cf-mnpjr 1/1 Running 0 2m + + +.. _oom_base_setup_cert_manager: + +Install Cert-Manager +-------------------- + +Cert-Manager is a native Kubernetes certificate management controller. +It can help with issuing certificates from a variety of sources, such as +Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, self +signed or external issuers. It ensures certificates are valid and up to +date, and attempt to renew certificates at a configured time before expiry. + +Cert-Manager is deployed using regular YAML manifests which include all +the needed resources (the CustomResourceDefinitions, cert-manager, +namespace, and the webhook component). + +Full installation instructions, including details on how to configure extra +functionality in Cert-Manager can be found in the +`Cert-Manager Installation documentation`_. + +There is also a kubectl plugin (kubectl cert-manager) that can help you +to manage cert-manager resources inside your cluster. For installation +steps, please refer to `Cert-Manager kubectl plugin documentation`_. + + +To install cert-manager, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v/cert-manager.yaml + +Verify the installation:: + + > kubectl get po -n cert-manager + +:: + + NAME READY STATUS RESTARTS AGE + cert-manager-776c4cfcb6-vgnpw 1/1 Running 0 2m + cert-manager-cainjector-7d9668978d-hdxf7 1/1 Running 0 2m + cert-manager-webhook-66c8f6c75-dxmtz 1/1 Running 0 2m + +Istio Service Mesh +------------------ + +.. note:: + The ONAP deployment supports the + `ONAP Next Generation Security & Logging Structure`_ + +ONAP is currenty supporting Istio as default ServiceMesh platform. +Therefor the following instructions describe the setup of Istio and required tools. +Used `Istio setup guide`_ + +.. _oom_base_optional_addons_istio_installation: + +Istio Platform Installation +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Install Istio Basic Platform +"""""""""""""""""""""""""""" + +- Configure the Helm repository:: + + > helm repo add istio https://istio-release.storage.googleapis.com/charts + + > helm repo update + +- Create a namespace for "mesh-level" configurations:: + + > kubectl create namespace istio-config + +- Create a namespace istio-system for Istio components:: + + > kubectl create namespace istio-system + +- Install the Istio Base chart which contains cluster-wide resources used by the + Istio control plane, replacing the with the version + defined in the :ref:`versions_table` table:: + + > helm upgrade -i istio-base istio/base -n istio-system --version + +- Create an override for istiod (e.g. istiod.yaml) to add the oauth2-proxy as external + authentication provider and apply some specific config settings + + .. collapse:: istiod.yaml + + .. include:: ../../resources/yaml/istiod.yaml + :code: yaml + +- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the + with the version defined in the :ref:`versions_table` table:: + + > helm upgrade -i istiod istio/istiod -n istio-system --version + --wait -f ./istiod.yaml + +Add an EnvoyFilter for HTTP header case +""""""""""""""""""""""""""""""""""""""" + +When handling HTTP/1.1, Envoy will normalize the header keys to be all +lowercase. While this is compliant with the HTTP/1.1 spec, in practice this +can result in issues when migrating existing systems that might rely on +specific header casing. In our case a problem was detected in the SDC client +implementation, which relies on uppercase header values. To solve this problem +in general we add a EnvoyFilter to keep the uppercase header in the +istio-config namespace to apply for all namespaces, but set the context to +SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and +Services + +- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) + + .. collapse:: envoyfilter-case.yaml + + .. include:: ../../resources/yaml/envoyfilter-case.yaml + :code: yaml + +- Apply the change to Istio:: + + > kubectl apply -f envoyfilter-case.yaml + + +Ingress Controller Installation +------------------------------- + +In the production setup 2 different Ingress setups are supported. + +- Gateway API `Gateway-API`_ (recommended) +- Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated) + +Depending on the solution, the ONAP helm values.yaml has to be configured. +See the :ref:`OOM customized deployment` section for more details. + +Gateway-API (recommended) +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Install the Gateway-API CRDs replacing the + with the version defined in + the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download//experimental-install.yaml + +- Create a common Gateway instance named "common-gateway" + The following example uses provides listeners for HTTP(s), UDP and TCP + + .. collapse:: common-gateway.yaml + + .. include:: ../../resources/yaml/common-gateway.yaml + :code: yaml + +- Apply the change:: + + > kubectl apply -f common-gateway.yaml + +Istio Gateway (alternative) +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Create a namespace istio-ingress for the Istio Ingress gateway + and enable istio-injection:: + + > kubectl create namespace istio-ingress + + > kubectl label namespace istio-ingress istio-injection=enabled + +- To expose additional ports besides HTTP/S (e.g. for external Kafka access, SDNC-callhome) + create an override file (e.g. istio-ingress.yaml) + + .. collapse:: istio-ingress.yaml + + .. include:: ../../resources/yaml/istio-ingress.yaml + :code: yaml + +- Install the Istio Gateway chart using the override file, replacing the + with the version defined in + the :ref:`versions_table` table:: + + > helm upgrade -i istio-ingress istio/gateway -n istio-ingress + --version -f ingress-istio.yaml --wait + + +Keycloak Installation +--------------------- + +- Add helm repositories:: + + > helm repo add bitnami https://charts.bitnami.com/bitnami + + > helm repo add codecentric https://codecentric.github.io/helm-charts + + > helm repo update + +- create keycloak namespace:: + + > kubectl create namespace keycloak + > kubectl label namespace keycloak istio-injection=disabled + +Install Keycloak-Database +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- To configure the Postgres DB + create an override file (e.g. keycloak-db-values.yaml) + + .. collapse:: keycloak-db-values.yaml + + .. include:: ../../resources/yaml/keycloak-db-values.yaml + :code: yaml + +- Install the Postgres DB:: + + > helm -n keycloak upgrade -i keycloak-db bitnami/postgresql --values ./keycloak-db-values.yaml + +Configure Keycloak +^^^^^^^^^^^^^^^^^^ + +- To configure the Keycloak instance + create an override file (e.g. keycloak-server-values.yaml) + + .. collapse:: keycloak-server-values.yaml + + .. include:: ../../resources/yaml/keycloak-server-values.yaml + :code: yaml + +- Install keycloak:: + + > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml + +The required Ingress entry and REALM will be provided by the ONAP "Platform" +component. + +- Create Ingress gateway entry for the keycloak web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: keycloak-ingress.yaml + + .. include:: ../../resources/yaml/keycloak-ingress.yaml + :code: yaml + +- Add the Ingress entry for Keycloak:: + + > kubectl -n keycloak apply -f keycloak-ingress.yaml + diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst new file mode 100644 index 0000000000..3b198cf1d6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst @@ -0,0 +1,40 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Options +======================= + +OOM supports 2 different deployment options of ONAP. + +- Development Setup +- Production Setup + +In the following sections describe the different setups. + +Development setup +----------------- + +The development setup deploys ONAP components exposing its external services +via NodePorts and without TLS termination and internal traffic encryption. + +Production setup +---------------- + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +.. figure:: ../../resources/images/servicemesh/ServiceMesh.png + :align: center + +For external access we propose to establish Authentication via Oauth2-proxy +and Keycloak which is described in this document. diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst new file mode 100644 index 0000000000..4b2a7528cb --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -0,0 +1,74 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Requirements +============================ + +.. rubric:: Minimum Hardware Configuration + +Some recommended hardware requirements are provided below. Note that this is for a +full ONAP deployment (all components). + +.. table:: OOM Hardware Requirements + + ===== ===== ====== ==================== + RAM HD vCores Ports + ===== ===== ====== ==================== + 224GB 160GB 112 0.0.0.0/0 (all open) + ===== ===== ====== ==================== + +Customizing ONAP to deploy only components that are needed will drastically reduce these requirements. +See the :ref:`OOM customized deployment` section for more details. + +.. note:: + | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. + | See the `kubelet config guide`_ for more information. + + | The use of many small nodes is preferred over a few larger nodes (for example 14 x 16GB - 8 vCores each). + + | OOM can be deployed on a private set of physical hosts or VMs (or even a combination of the two). + +.. rubric:: Software Requirements + +The versions of software that are supported and tested by OOM are as follows: + +.. _versions_table: + +.. table:: OOM Software Requirements (base) + + ============== =========== ======= ======== ======== ============= ======== + Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi + ============== =========== ======= ======== ======== ============= ======== + London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0 + Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1 + New Delhi 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.40.0 + ============== =========== ======= ======== ======== ============= ======== + +.. table:: OOM Software Requirements (production) + + ============== ====== ============ ============== + Release Istio Gateway-API Keycloak + ============== ====== ============ ============== + London 1.17.2 v0.6.2 19.0.3-legacy + Montreal 1.19.3 v1.0.0 19.0.3-legacy + New Delhi 1.19.3 v1.0.0 22.0.4 + ============== ====== ============ ============== + +.. table:: OOM Software Requirements (optional) + + ============== ================= ========== ================= + Release Prometheus Stack K8ssandra MariaDB-Operator + ============== ================= ========== ================= + London 45.x 1.6.1 + Montreal 45.x 1.10.2 0.23.1 + New Delhi 45.x 1.11.0 0.24.0 + ============== ================= ========== ================= diff --git a/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst new file mode 100644 index 0000000000..fb164bc5e6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst @@ -0,0 +1,199 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md +.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ +.. _Kserve setup guide: https://kserve.github.io/website/0.10/admin/kubernetes_deployment/ +.. _K8ssandra setup guide: https://docs.k8ssandra.io/install/ +.. _Mariadb-Operator setup guide: https://github.com/mariadb-operator/mariadb-operator +.. _Postgres-Operator setup guide: https://github.com/CrunchyData/postgres-operator + +.. _oom_base_optional_addons: + +OOM Optional Addons +=================== + +The following optional applications can be added to your kubernetes +environment. + +Install Prometheus Stack +------------------------ + +Prometheus is an open-source systems monitoring and alerting toolkit with +an active ecosystem. + +Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana +dashboards, and Prometheus rules combined with documentation and scripts to +provide easy to operate end-to-end Kubernetes cluster monitoring with +Prometheus using the Prometheus Operator. As it includes both Prometheus +Operator and Grafana dashboards, there is no need to set up them separately. +See the `Prometheus stack README`_ for more information. + +To install the prometheus stack, execute the following: + +- Add the prometheus-community Helm repository:: + + > helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +- Update your local Helm chart repository cache:: + + > helm repo update + +- To install prometheus, execute the following, replacing the with the version defined in the :ref:`versions_table` table:: + + > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version= + + +Kiali Installation +------------------ + +Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster +For setup the kiali operator is used, see `Kiali setup guide`_ + +- Install kiali-operator namespace:: + + > kubectl create namespace kiali-operator + + > kubectl label namespace kiali-operator istio-injection=enabled + +- Install the kiali-operator:: + + > helm repo add kiali https://kiali.org/helm-charts + + > helm repo update kiali + + > helm install --namespace kiali-operator kiali/kiali-operator + +- Create Kiali CR file (e.g. kiali.yaml) + + .. collapse:: kiali.yaml + + .. include:: ../../resources/yaml/kiali.yaml + :code: yaml + +- Install kiali:: + + > kubectl apply -f kiali.yaml + +- Create Ingress gateway entry for the kiali web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: kiali-ingress.yaml + + .. include:: ../../resources/yaml/kiali-ingress.yaml + :code: yaml + +- Add the Ingress entry for Kiali:: + + > kubectl -n istio-system apply -f kiali-ingress.yaml + + +Jaeger Installation +------------------- + +To be done... + +K8ssandra-Operator Installation +------------------------------- + +K8ssandra-Operator is used to ease the installation and lifecycle management +Cassandra clusters, including monitoring and backup + +For setup the K8ssandra operator is used, see `K8ssandra setup guide`_ + +- Install k8ssandra-operator namespace:: + + > kubectl create namespace k8ssandra-operator + + > kubectl label namespace k8ssandra-operator istio-injection=enabled + +- Install the k8ssandra-operator replacing the with the version defined in the :ref:`versions_table` table:: + + > helm repo add k8ssandra https://helm.k8ssandra.io/stable + + > helm repo update k8ssandra + + > helm install k8ssandra-operator --namespace k8ssandra-operator + k8ssandra/k8ssandra-operator --set global.clusterScoped=true + --version= + +Mariadb-Operator Installation +----------------------------- + +Mariadb-Operator is used to ease the installation and lifecycle management of +MariaDB Galera and Replication clusters, including monitoring and backup + +For setup the Mariadb-Operator is used, see `Mariadb-Operator setup guide`_ + +- Install mariadb-operator namespace:: + + > kubectl create namespace mariadb-operator + + > kubectl label namespace mariadb-operator istio-injection=enabled + +- Install the mariadb-operator replacing the with the version defined in the :ref:`versions_table` table:::: + + > helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator + + > helm repo update mariadb-operator + + > helm install mariadb-operator --namespace mariadb-operator + mariadb-operator/mariadb-operator --set ha.enabled=true + --set metrics.enabled=true --set webhook.certificate.certManager=true + --version= + +Postgres-Operator Installation +------------------------------ + +Postgres-Operator is used to ease the installation and lifecycle management of +Postgres DB clusters, including monitoring and backup + +For setup the Postgres-Operator is used, see `Postgres-Operator setup guide`_ + +Kserve Installation +------------------- + +KServe is a standard Model Inference Platform on Kubernetes. It supports +RawDeployment mode to enable InferenceService deployment with Kubernetes +resources. Comparing to serverless deployment it unlocks Knative limitations +such as mounting multiple volumes, on the other hand Scale down and from Zero +is not supported in RawDeployment mode. + +This installation is necessary for the ML models to be deployed as inference +service. Once deployed, the inference services can be queried for the +prediction. + +**Kserve participant component in Policy ACM requires this installation. Kserve participant deploy/undeploy inference services in Kserve.** + +Dependent component version compatibility details and installation instructions +can be found at `Kserve setup guide`_ + +Kserve installation requires the following components: + +- Istio. Its installation instructions can be found at :ref:`oom_base_optional_addons_istio_installation` + +- Cert-Manager. Its installation instructions can be found at :ref:`oom_base_setup_cert_manager` + +Installation instructions as follows, + +- Create kserve namespace:: + + > kubectl create namespace kserve + +- Install Kserve:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve.yaml + +- Install Kserve default serving runtimes:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve-runtimes.yaml + +- Patch ConfigMap inferenceservice-config as follows:: + + > kubectl patch configmap/inferenceservice-config -n kserve --type=strategic -p '{"data": {"deploy": "{\"defaultDeploymentMode\": \"RawDeployment\"}"}}' diff --git a/docs/sections/guides/infra_guides/oom_infra_setup.rst b/docs/sections/guides/infra_guides/oom_infra_setup.rst deleted file mode 100644 index ed7b05a103..0000000000 --- a/docs/sections/guides/infra_guides/oom_infra_setup.rst +++ /dev/null @@ -1,81 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _Kubernetes: https://kubernetes.io/ -.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ -.. _kubelet confg guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - -.. _oom_infra_setup_guide: - -OOM Infrastructure Guide -######################## - -.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png - :align: right - -OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the -creation of this cluster is outside of the scope of the OOM project as there -are many options including public clouds with pre-established environments. -If creation of a Kubernetes cluster is required, the life-cycle of this -cluster is independent of the life-cycle of the ONAP components themselves. - -.. rubric:: Minimum Hardware Configuration - -Some recommended hardware requirements are provided below. Note that this is for a -full ONAP deployment (all components). - -.. table:: OOM Hardware Requirements - - ===== ===== ====== ==================== - RAM HD vCores Ports - ===== ===== ====== ==================== - 224GB 160GB 112 0.0.0.0/0 (all open) - ===== ===== ====== ==================== - -Customizing ONAP to deploy only components that are needed will drastically reduce these requirements. -See the :ref:`OOM customized deployment` section for more details. - -.. note:: - | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. - | See the `kubelet confg guide`_ for more information. - - | The use of many small nodes is preferred over a few larger nodes (for example 14 x 16GB - 8 vCores each). - - | OOM can be deployed on a private set of physical hosts or VMs (or even a combination of the two). - -.. rubric:: Software Requirements - -The versions of software that are supported by OOM are as follows: - -.. _versions_table: - -.. table:: OOM Software Requirements (base) - - ============== =========== ======= ======== ======== ============ ======= - Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi - ============== =========== ======= ======== ======== ============ ======= - Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 0.28.0 - Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0 - ============== =========== ======= ======== ======== ============ ======= - -.. table:: OOM Software Requirements (optional) - - ============== ================= ====== - Release Prometheus Stack Istio - ============== ================= ====== - Jakarta 35.x --- - Kohn 35.x 1.15.1 - ============== ================= ====== - - -.. toctree:: - :hidden: - - oom_base_config_setup.rst - oom_base_optional_addons.rst - oom_setup_ingress_controller.rst - - diff --git a/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst b/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst deleted file mode 100644 index 8c261fdfd7..0000000000 --- a/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst +++ /dev/null @@ -1,176 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020, Samsung Electronics -.. Modification copyright (C) 2022 Nordix Foundation - -.. Links -.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/ - -.. _oom_setup_ingress_controller: - -OOM Ingress controller setup -############################ - -.. warning:: - This guide should prob go in the Optional addons section - -This optional guide provides instruction how to setup experimental ingress controller -feature. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster and -ingress controller - -.. contents:: - :backlinks: top - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Customization of the cluster.yaml file for ingress controller support - -#. Installation and configuration test DNS server for ingress host resolution - on testing machines - -#. Installation and configuration MLB (Metal Load Balancer) required for - exposing ingress service - -#. Installation and configuration NGINX ingress controller - -#. Additional info how to deploy ONAP with services exposed via Ingress - controller - -Customize cluster.yml file -************************** -Before setup cluster for ingress purposes DNS cluster IP and ingress provider -should be configured and following: - -.. code-block:: yaml - - --- - <...> - restore: - restore: false - snapshot_name: "" - ingress: - provider: none - dns: - provider: coredns - upstreamnameservers: - - :31555 - -Where the should be set to the same IP as the CONTROLPANE -node. - -For external load balancer purposes, minimum one of the worker node should be -configured with external IP address accessible outside the cluster. It can be -done using the following example node configuration: - -.. code-block:: yaml - - --- - <...> - - address: - internal_address: - port: "22" - role: - - worker - hostname_override: "onap-worker-0" - user: ubuntu - ssh_key_path: "~/.ssh/id_rsa" - <...> - -Where the is external worker node IP address, and -is internal node IP address if it is required. - - -DNS server configuration and installation -***************************************** -DNS server deployed on the Kubernetes cluster makes it easy to use services -exposed through ingress controller because it resolves all subdomain related to -the ONAP cluster to the load balancer IP. Testing ONAP cluster requires a lot -of entries on the target machines in the /etc/hosts. Adding many entries into -the configuration files on testing machines is quite problematic and error -prone. The better wait is to create central DNS server with entries for all -virtual host pointed to simpledemo.onap.org and add custom DNS server as a -target DNS server for testing machines and/or as external DNS for Kubernetes -cluster. - -DNS server has automatic installation and configuration script, so installation -is quite easy:: - - > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing - - > ./deploy\_dns.sh - -After DNS deploy you need to setup DNS entry on the target testing machine. -Because DNS listen on non standard port configuration require iptables rules -on the target machine. Please follow the configuration proposed by the deploy -scripts. -Example output depends on the IP address and example output looks like bellow:: - - DNS server already deployed: - 1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 - 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine - - -MetalLB Load Balancer installation and configuration -**************************************************** - -By default pure Kubernetes cluster requires external load balancer if we want -to expose external port using LoadBalancer settings. For this purpose MetalLB -can be used. Before installing the MetalLB you need to ensure that at least one -worker has assigned IP accessible outside the cluster. - -MetalLB Load balancer can be easily installed using automatic install script:: - - > cd kubernetes/contrib/metallb-loadbalancer-inst - - > ./install-metallb-on-cluster.sh - - -Configuration of the Nginx ingress controller -********************************************* - -After installation of the DNS server and ingress controller, we can install and -configure ingress controller. -It can be done using the following commands:: - - > cd kubernetes/contrib/ingress-nginx-post-inst - - > kubectl apply -f nginx_ingress_cluster_config.yaml - - > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml - -After deploying the NGINX ingress controller, you can ensure that the ingress port is -exposed as load balancer service with an external IP address:: - - > kubectl get svc -n ingress-nginx - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - default-http-backend ClusterIP 10.10.10.10 80/TCP 25h - ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h - - -ONAP with ingress exposed services -********************************** -If you want to deploy onap with services exposed through ingress controller you -can use full onap deploy yaml:: - - > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml - -Ingress also can be enabled on any onap setup override using following code: - -.. code-block:: yaml - - --- - <...> - global: - <...> - ingress: - enabled: true - diff --git a/docs/sections/guides/user_guides/oom_user_guide.rst b/docs/sections/guides/user_guides/oom_user_guide.rst index 449d5de3fa..d31c818d44 100644 --- a/docs/sections/guides/user_guides/oom_user_guide.rst +++ b/docs/sections/guides/user_guides/oom_user_guide.rst @@ -23,7 +23,7 @@ OOM User Guide .. warning:: - **THIS PAGE NEEDS TO BE EITHER REWRITTEN OR SOMETING AS SOME INFO IS NO LONGER RELEVANT** + **THIS PAGE NEEDS TO BE EITHER REWRITTEN OR SOMETHING AS SOME INFO IS NO LONGER RELEVANT** The ONAP Operations Manager (OOM) provide the ability to manage the entire life-cycle of an ONAP installation, from the initial deployment to final @@ -186,7 +186,7 @@ Here is an excerpt of this file: dependencies: <...> - name: so - version: ~11.0.0 + version: ~12.0.0 repository: '@local' condition: so.enabled <...> @@ -334,10 +334,10 @@ Below is the example for the same:: > helm list NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE - dev 1 Wed Oct 14 13:49:52 2020 DEPLOYED onap-11.0.0 Kohn onap - dev-cassandra 5 Thu Oct 15 14:45:34 2020 DEPLOYED cassandra-11.0.0 onap - dev-contrib 1 Wed Oct 14 13:52:53 2020 DEPLOYED contrib-11.0.0 onap - dev-mariadb-galera 1 Wed Oct 14 13:55:56 2020 DEPLOYED mariadb-galera-11.0.0 onap + dev 1 Wed Oct 14 13:49:52 2020 DEPLOYED onap-12.0.0 london onap + dev-cassandra 5 Thu Oct 15 14:45:34 2020 DEPLOYED cassandra-12.0.0 onap + dev-contrib 1 Wed Oct 14 13:52:53 2020 DEPLOYED contrib-12.0.0 onap + dev-mariadb-galera 1 Wed Oct 14 13:55:56 2020 DEPLOYED mariadb-galera-12.0.0 onap Here the Name column shows the RELEASE NAME, In our case we want to try the scale operation on cassandra, thus the RELEASE NAME would be dev-cassandra. @@ -351,10 +351,10 @@ Below is the example for the same:: > helm search cassandra NAME CHART VERSION APP VERSION DESCRIPTION - local/cassandra 11.0.0 ONAP cassandra - local/portal-cassandra 11.0.0 Portal cassandra - local/aaf-cass 11.0.0 ONAP AAF cassandra - local/sdc-cs 11.0.0 ONAP Service Design and Creation Cassandra + local/cassandra 12.0.0 ONAP cassandra + local/portal-cassandra 12.0.0 Portal cassandra + local/aaf-cass 12.0.0 ONAP AAF cassandra + local/sdc-cs 12.0.0 ONAP Service Design and Creation Cassandra Here the Name column shows the chart name. As we want to try the scale operation for cassandra, thus the corresponding chart name is local/cassandra @@ -416,7 +416,7 @@ Prior to doing an upgrade, determine of the status of the deployed charts:: > helm list NAME REVISION UPDATED STATUS CHART NAMESPACE - so 1 Mon Feb 5 10:05:22 2020 DEPLOYED so-11.0.0 onap + so 1 Mon Feb 5 10:05:22 2020 DEPLOYED so-12.0.0 onap When upgrading a cluster a parameter controls the minimum size of the cluster during the upgrade while another parameter controls the maximum number of nodes @@ -439,21 +439,21 @@ sequence of events described in the previous paragraph would be initiated. For example, to upgrade a container by changing configuration, specifically an environment value:: - > helm upgrade so onap/so --version 11.0.1 --set enableDebug=true + > helm upgrade so onap/so --version 12.0.1 --set enableDebug=true Issuing this command will result in the appropriate container being stopped by Kubernetes and replaced with a new container with the new environment value. To upgrade a component to a new version with a new configuration file enter:: - > helm upgrade so onap/so --version 11.0.1 -f environments/demo.yaml + > helm upgrade so onap/so --version 12.0.1 -f environments/demo.yaml To fetch release history enter:: > helm history so REVISION UPDATED STATUS CHART DESCRIPTION - 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-11.0.0 Install complete - 2 Mon Jul 5 10:10:55 2022 DEPLOYED so-11.0.1 Upgrade complete + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 DEPLOYED so-12.0.1 Upgrade complete Unfortunately, not all upgrades are successful. In recognition of this the lineup of pods within an ONAP deployment is tagged such that an administrator @@ -475,9 +475,9 @@ For example, to roll-back back to previous system revision enter:: > helm history so REVISION UPDATED STATUS CHART DESCRIPTION - 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-11.0.0 Install complete - 2 Mon Jul 5 10:10:55 2022 SUPERSEDED so-11.0.1 Upgrade complete - 3 Mon Jul 5 10:14:32 2022 DEPLOYED so-11.0.0 Rollback to 1 + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 SUPERSEDED so-12.0.1 Upgrade complete + 3 Mon Jul 5 10:14:32 2022 DEPLOYED so-12.0.0 Rollback to 1 .. note:: diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst index 404a410931..774237946d 100644 --- a/docs/sections/oom_project_description.rst +++ b/docs/sections/oom_project_description.rst @@ -11,7 +11,7 @@ ONAP Operations Manager Project .. warning:: - THIS PAGE PROB NEEDS A REWRITE ALSO + THIS PAGE PROB NEEDS A REWRITE AS IT IS OUTDATED The ONAP Operations Manager (OOM) is responsible for life-cycle management of the ONAP platform itself; components such as SO, SDNC, etc. It is not @@ -38,21 +38,19 @@ In summary OOM provides the following capabilities: service impact - **Delete** - cleanup individual containers or entire deployments -OOM supports a wide variety of Kubernetes private clouds - built with Rancher, -Kubeadm or Cloudify - and public cloud infrastructures such as: Microsoft +OOM supports a wide variety of Kubernetes private clouds - built with ClusterAPI, +Kubespray - and public cloud infrastructures such as: Microsoft Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. The OOM documentation is broken into four different areas each targeted at a different user: - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_setup_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use - :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance - :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications - - The :ref:`release_notes` for OOM describe the incremental features per release. Component Orchestration Overview diff --git a/docs/sections/release_notes/release-notes-honolulu.rst b/docs/sections/release_notes/release-notes-honolulu.rst index 3a7891a1ba..832ec580cc 100644 --- a/docs/sections/release_notes/release-notes-honolulu.rst +++ b/docs/sections/release_notes/release-notes-honolulu.rst @@ -128,7 +128,7 @@ Known Vulnerabilities Workarounds ----------- -- ``_ +- ``_ Workaround is to generate a password with "short" strength or pregenerate passwords without single quote in it. Default deployment is using "short" password generation for mariadb. diff --git a/docs/sections/release_notes/release-notes-kohn.rst b/docs/sections/release_notes/release-notes-kohn.rst new file mode 100644 index 0000000000..66d04628c1 --- /dev/null +++ b/docs/sections/release_notes/release-notes-kohn.rst @@ -0,0 +1,128 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_kohn: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Kohn release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Kohn | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2022/12/05 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.23.8 +* Helm support for version up to Helm: 3.8.2 +* Kubespray version used for automated deployment 2.19 (used for automated deployment) +* Initial Setup for "ONAP on ServiceMesh" deployment + + * using Istio 1.14.1 as SM platform + * including Istio Ingress Gateway for external access + * modify 90% of ONAP component charts to support SeviceMesh + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11499 + + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + +Workarounds +----------- + + +Security Notes +-------------- + +**Fixed Security Issues** + +* Fixed vulnerabilities for oom-platform-cert-service + see `Fixes `_ + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst new file mode 100644 index 0000000000..28911b8923 --- /dev/null +++ b/docs/sections/release_notes/release-notes-london.rst @@ -0,0 +1,144 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_london: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the London release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | London | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/06/xx | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Istio Service Mesh based deployment + * Ingress (Istio-Gateway) deployment and usage as standard external access method + * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies + * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access + +* Removal of unsupported components (AAF, Portal, Contrib,...) +* Update of Helmcharts to use common templates and practices +* Optional support for Cassandra 4.x using k8ssandra-operator + +* `REQ-1349 `_ Removal of AAF. + Internal communication encryption and authorization is offered by ServiceMesh + +* `REQ-1350 `_ All component must be + able to run without MSB. Component helm charts modified to use MSB optionally + and test the components during Daily and Gating with and without MSB + +* `REQ-1351 `_ External secure + communication only via Ingress. + Ingress resources created by templates and Ingress installation is described + in the OOM documents + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11500 + +**Known Issues** + +* Components not working under ServiceMesh + + * CDS UI + * SO Monitor UI + * CLI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons` + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst index 4b1552dd40..0df9483e95 100644 --- a/docs/sections/release_notes/release-notes.rst +++ b/docs/sections/release_notes/release-notes.rst @@ -11,6 +11,8 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`London ` +- :ref:`Kohn ` - :ref:`Jakarta ` - :ref:`Istanbul ` - :ref:`Honolulu ` @@ -25,7 +27,7 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the Kohn release. +This document provides the release notes for the Montreal release. Summary ======= @@ -42,33 +44,39 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | Kohn | +| **Release designation** | Montreal | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | | +| **Release date** | 2023/12/xx | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* Kubernetes support for version up to 1.23.8 -* Helm support for version up to Helm: 3.8.2 -* Kubespray version used for automated deployment 2.19 (used for automated deployment) -* Initial Setup for "ONAP on ServiceMesh" deployment +* Introduction of "Production" ONAP setup, including: - * using Istio 1.14.1 as SM platform - * including Istio Ingress Gateway for external access - * modify 90% of ONAP component charts to support SeviceMesh + * Besides the Istio Ingress APIs now the support for `Gateway-API`_ + is added to the templates, which includes: + + * TCP Routes + * UDP Routes + +* Update of Helmcharts to use common templates and practices +* Default support for Cassandra 4.x using k8ssandra-operator +* Default support for MariaDB 11.x using mariadb-operator **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11499 - +https://jira.onap.org/projects/OOM/versions/11501 **Known Issues** +* Components not working under ServiceMesh + + * SO Monitor UI + * Policy UI Deliverables ------------ @@ -83,7 +91,7 @@ Documentation Deliverables - :ref:`Project Description ` - a guide for developers of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_setup_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use - :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance - :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications @@ -94,21 +102,15 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -* Cassandra version needs to be updated to support new Python version - see `OOM-2900 `_ Workarounds ----------- - Security Notes -------------- **Fixed Security Issues** -* Fixed vulnerabilities for oom-platform-cert-service - see `Fixes `_ - References ========== @@ -124,3 +126,4 @@ For more information on the ONAP Istanbul release, please see: .. _`ONAP Wiki Page`: https://wiki.onap.org .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/resources/csv/nodeports.csv b/docs/sections/resources/csv/nodeports.csv index b1c6fb5333..096e25eada 100644 --- a/docs/sections/resources/csv/nodeports.csv +++ b/docs/sections/resources/csv/nodeports.csv @@ -1,35 +1,21 @@ NodePort,Component,Service name,targetPort,Port -30200,VID,vid,8443,8443 30201,SDNC,sdnc-portal,8443,8443 30203,SDNC,sdnc-dgbuilder,3100,3000 30204,SDC,sdc-be-external,8443,8443 30207,SDC,sdc-fe,9443,9443 30209,ROBOT,robot,443,443 30210,AAI,aai-modelloader,8080,8080 -30211,APPC,appc,9191,9090 -30212,PORTAL,portal-sdk,8443,8443 30218,POLICY,pap,9091,9091 30219,POLICY,pap,8443,8443 30220,AAI,aai-sparky-be,8000,8000 -30222,DCAE,xdcae-hv-ves-collector,6061,6061 -30225,PORTAL,portal-app,8443,8443 +30222,DCAE,dcae-hv-ves-collector,6061,6061 30226,DMAAP,message-router-external,3905,3905 -30228,APPC,appc-dgbuilder,3100,3000 30229,AAI,aai-modelloader,8443,8443 -30230,APPC,appc,8443,8443 -30231,APPC,appc,1830,1830 30233,AAI,aai,8443,8443 -30234,POMBA*),pomba-kibana,5601,5601 30242,DMAAP,dmaap-bc,8443,8443 30248,OOF,oof-osdf,8699,8698 -30249,POMBA*),pomba-data-router,9502,9502 -30251,AAF,aaf-gui,8200,8200 -30253,LOG*),log-kibana,5601,5601 -30254,LOG*),log-es,9200,9200 -30255,LOG*),log-ls,5044,5044 30256,SDC,sdc-wfd-fe,8443,8443 30257,SDC,sdc-wfd-be,8443,8443 -30258,CLAMP,clamp-external,2443,2443 30260,CLI,cli,443,443 30264,DCAE,sdc-dcae-fe,9444,9444 30266,DCAE,sdc-dcae-dt,9446,9446 @@ -42,19 +28,13 @@ NodePort,Component,Service name,targetPort,Port 30279,AAI,aai-babel,9516,9516 30283,MSB,msb-iag,443,443 30284,MSB,msb-eag,443,443 -30288,SNIRO*),sniro-emulator,9999,80 -30289,APPC,appc-cdt,18080,18080 -30290,CLAMP,cdash-kibana,5601,5601 30297,VNFSDK,refrepo,8703,8703 -30299,POMBA*),pomba-networkdiscovery,8443,9531 30398,UUI,uui,8443,8443 30399,UUI,uui-server,8082,8082 30406,SO,so-vnfm-adapter,9092,9092 30407,MUSIC,music,8443,8443 30417,DCAE,xdcae-ves-collector,8443,8443 30418,DCAE,dashboard,8443,8443 -30420,NETBOX,netbox-nginx,8080,8080 -30478,AWX,awx-web,8080,80 30490,DMAAP,message-router-kafka-0,9091,9091 30491,DMAAP,message-router-kafka-1,9091,9091 30492,DMAAP,message-router-kafka-2,9091,9091 diff --git a/docs/sections/resources/helm/helm-search.txt b/docs/sections/resources/helm/helm-search.txt index 75c274957b..fbca944bf9 100644 --- a/docs/sections/resources/helm/helm-search.txt +++ b/docs/sections/resources/helm/helm-search.txt @@ -1,42 +1,29 @@ NAME CHART VERSION APP VERSION DESCRIPTION -local/onap 11.0.0 Kohn Open Network Automation Platform (ONAP) -local/aaf 11.0.0 ONAP Application Authorization Framework -local/aai 11.0.0 ONAP Active and Available Inventory -local/appc 11.0.0 Application Controller -local/cassandra 11.0.0 ONAP cassandra -local/cds 11.0.0 ONAP Controller Design Studio (CDS) -local/clamp 11.0.0 ONAP Clamp -local/cli 11.0.0 ONAP Command Line Interface -local/common 11.0.0 Common templates for inclusion in other charts -local/consul 11.0.0 ONAP Consul Agent -local/contrib 11.0.0 ONAP optional tools -local/cps 11.0.0 ONAP Configuration Persistene Service (CPS) -local/dcaegen2 11.0.0 ONAP DCAE Gen2 -local/dgbuilder 11.0.0 D.G. Builder application -local/dmaap 11.0.0 ONAP DMaaP components -local/log 11.0.0 ONAP Logging ElasticStack -local/mariadb-galera 11.0.0 Chart for MariaDB Galera cluster -local/mongo 11.0.0 MongoDB Server -local/msb 11.0.0 ONAP MicroServices Bus -local/multicloud 11.0.0 ONAP multicloud broker -local/music 11.0.0 MUSIC - Multi-site State Coordination Service -local/mysql 11.0.0 MySQL Server -local/nbi 11.0.0 ONAP Northbound Interface -local/network-name-gen 11.0.0 Name Generation Micro Service -local/nfs-provisioner 11.0.0 NFS provisioner -local/oof 11.0.0 ONAP Optimization Framework -local/policy 11.0.0 ONAP Policy Administration Point -local/pomba 11.0.0 ONAP Post Orchestration Model Based Audit -local/portal 11.0.0 ONAP Web Portal -local/postgres 11.0.0 ONAP Postgres Server -local/robot 11.0.0 A helm Chart for kubernetes-ONAP Robot -local/sdc 11.0.0 Service Design and Creation Umbrella Helm charts -local/sdnc 11.0.0 SDN Controller -local/sdnc-prom 11.0.0 ONAP SDNC Policy Driven Ownership Management -local/sniro-emulator 11.0.0 ONAP Mock Sniro Emulator -local/so 11.0.0 ONAP Service Orchestrator -local/strimzi 11.0.0 ONAP Strimzi Apache Kafka -local/uui 11.0.0 ONAP uui -local/vfc 11.0.0 ONAP Virtual Function Controller (VF-C) -local/vid 11.0.0 ONAP Virtual Infrastructure Deployment -local/vnfsdk 11.0.0 ONAP VNF SDK +local/onap 12.0.0 London Open Network Automation Platform (ONAP) +local/a1policymanagement 12.0.0 ONAP A1 Policy Management +local/aai 12.0.0 ONAP Active and Available Inventory +local/cassandra 12.0.0 ONAP cassandra +local/cds 12.0.0 ONAP Controller Design Studio (CDS) +local/cli 12.0.0 ONAP Command Line Interface +local/common 12.0.0 Common templates for inclusion in other charts +local/cps 12.0.0 ONAP Configuration Persistene Service (CPS) +local/dcaegen2 12.0.0 ONAP DCAE Gen2 +local/dmaap 12.0.0 ONAP DMaaP components +local/mariadb-galera 12.0.0 Chart for MariaDB Galera cluster +local/msb 12.0.0 ONAP MicroServices Bus +local/multicloud 12.0.0 ONAP multicloud broker +local/nbi 12.0.0 ONAP Northbound Interface +local/nfs-provisioner 12.0.0 NFS provisioner +local/oof 12.0.0 ONAP Optimization Framework +local/policy 12.0.0 ONAP Policy Administration Point +local/postgres 12.0.0 ONAP Postgres Server +local/robot 12.0.0 A helm Chart for kubernetes-ONAP Robot +local/sdc 12.0.0 Service Design and Creation Umbrella Helm charts +local/sdnc 12.0.0 SDN Controller +local/sdnc-prom 12.0.0 ONAP SDNC Policy Driven Ownership Management +local/sniro-emulator 12.0.0 ONAP Mock Sniro Emulator +local/so 12.0.0 ONAP Service Orchestrator +local/strimzi 12.0.0 ONAP Strimzi Apache Kafka +local/uui 12.0.0 ONAP uui +local/vfc 12.0.0 ONAP Virtual Function Controller (VF-C) +local/vnfsdk 12.0.0 ONAP VNF SDK diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml new file mode 100644 index 0000000000..3cc1cc55bc --- /dev/null +++ b/docs/sections/resources/yaml/common-gateway.yaml @@ -0,0 +1,96 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: common-gateway + namespace: istio-ingress +spec: + gatewayClassName: istio + listeners: + - name: http-80 + hostname: "*.{{ onap_baseurl }}" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: https-443 + hostname: "*.{{ onap_baseurl }}" + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: ingress-tls-secret + - name: udp-162 + protocol: UDP + port: 162 + allowedRoutes: + kinds: + - kind: UDPRoute + namespaces: + from: All + - name: tcp-4334 + protocol: TCP + port: 4334 + allowedRoutes: + kinds: + - kind: TCPRoute + namespaces: + from: All + - name: tcp-9000 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9000 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9001 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9001 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9002 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9002 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9010 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-bootstrap-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9010 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate diff --git a/docs/sections/resources/yaml/environments_onap_demo.yaml b/docs/sections/resources/yaml/environments_onap_demo.yaml index 8b697cbda2..64dee3e846 100644 --- a/docs/sections/resources/yaml/environments_onap_demo.yaml +++ b/docs/sections/resources/yaml/environments_onap_demo.yaml @@ -13,7 +13,7 @@ global: repository: nexus3.onap.org:10001 repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # logging agent loggingRepository: docker.elastic.co @@ -32,36 +32,22 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false -appc: - enabled: false -clamp: - enabled: true cli: enabled: false -consul: # Consul Health Check Monitoring - enabled: false cps: enabled: false dcaegen2: enabled: false -log: - enabled: false message-router: enabled: false -mock: - enabled: false msb: enabled: false multicloud: enabled: false policy: enabled: false -portal: - enabled: false robot: # Robot Health Check enabled: true sdc: @@ -97,7 +83,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/docs/sections/resources/yaml/envoyfilter-case.yaml b/docs/sections/resources/yaml/envoyfilter-case.yaml index c919319ecc..31e80374e2 100644 --- a/docs/sections/resources/yaml/envoyfilter-case.yaml +++ b/docs/sections/resources/yaml/envoyfilter-case.yaml @@ -21,6 +21,49 @@ spec: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing-outbound + namespace: istio-config + #annotations: + # argocd.argoproj.io/hook: PostSync +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: diff --git a/docs/sections/resources/yaml/istio-ingress.yaml b/docs/sections/resources/yaml/istio-ingress.yaml new file mode 100644 index 0000000000..ae215c118a --- /dev/null +++ b/docs/sections/resources/yaml/istio-ingress.yaml @@ -0,0 +1,36 @@ +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kafka-bootstrap + port: 9010 + targetPort: 9010 + protocol: TCP + - name: kafka-0 + port: 9000 + targetPort: 9000 + protocol: TCP + - name: kafka-1 + port: 9001 + targetPort: 9001 + protocol: TCP + - name: kafka-2 + port: 9002 + targetPort: 9002 + protocol: TCP + - name: sdnc-callhome + port: 4334 + targetPort: 4334 + protocol: TCP \ No newline at end of file diff --git a/docs/sections/resources/yaml/istiod.yaml b/docs/sections/resources/yaml/istiod.yaml new file mode 100644 index 0000000000..792f686cc6 --- /dev/null +++ b/docs/sections/resources/yaml/istiod.yaml @@ -0,0 +1,20 @@ +global: + proxy: + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: true + #logging: + # level: "default:debug" +meshConfig: + rootNamespace: istio-config + extensionProviders: + - name: oauth2-proxy + envoyExtAuthzHttp: + service: oauth2-proxy.default.svc.cluster.local + port: 80 + timeout: 1.5s + includeHeadersInCheck: ["authorization", "cookie"] + headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] +pilot: + env: + PILOT_HTTP10: true \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-db-values.yaml b/docs/sections/resources/yaml/keycloak-db-values.yaml new file mode 100644 index 0000000000..ae1459bea7 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-db-values.yaml @@ -0,0 +1,7 @@ +# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql +global: + postgresql: + auth: + username: dbusername + password: dbpassword + database: keycloak \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml new file mode 100644 index 0000000000..91fc34f381 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -0,0 +1,55 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-80 + rules: + Filters: + Request Redirect: + Port: 443 + Scheme: https + Status Code: 301 + Type: RequestRedirect + Matches: + Path: + Type: PathPrefix + Value: /auth +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-443 + rules: + - backendRefs: + - group: "" + kind: Service + name: keycloak-keycloakx-http + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: /auth diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml new file mode 100644 index 0000000000..0160ce86e8 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -0,0 +1,48 @@ +--- +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--hostname-strict-https=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" + +extraEnv: | + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: user + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + - name: PROXY_ADDRESS_FORWARDING + value: "true" + +dbchecker: + enabled: true + +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak + +secrets: + admin-creds: + stringData: + user: admin + password: secret diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat b/docs/spelling_wordlist.txt similarity index 100% rename from kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat rename to docs/spelling_wordlist.txt diff --git a/docs/tox.ini b/docs/tox.ini index 8bec1b5ba0..b0a7bbafa3 100644 --- a/docs/tox.ini +++ b/docs/tox.ini @@ -7,26 +7,32 @@ skipsdist = true basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -W -q -b html -n -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/html [testenv:docs-linkcheck] basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -W -q -b linkcheck -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/linkcheck [testenv:docs-spellcheck] basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -b spelling -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/spellcheck diff --git a/kubernetes/README.md b/kubernetes/README.md index 696ede70c0..46636b9385 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -54,7 +54,6 @@ Step 5. Display the charts that are available to be deployed: ``` > helm search -l NAME VERSION DESCRIPTION -local/appc 2.0.0 Application Controller local/clamp 2.0.0 ONAP Clamp local/onap 2.0.0 Open Network Automation Platform (ONAP) local/robot 2.0.0 A helm Chart for kubernetes-ONAP Robot diff --git a/kubernetes/a1policymanagement/Chart.yaml b/kubernetes/a1policymanagement/Chart.yaml index 1fa512a50d..5bd25f0280 100644 --- a/kubernetes/a1policymanagement/Chart.yaml +++ b/kubernetes/a1policymanagement/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 appVersion: "1.0.0" description: A Helm chart for A1 Policy Management Service name: a1policymanagement -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml index 05fddb2628..789f3eb673 100644 --- a/kubernetes/a1policymanagement/resources/config/application.yaml +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -39,36 +39,33 @@ management: logging: # Configuration of logging level: - ROOT: DEBUG - org.springframework: DEBUG - org.springframework.data: DEBUG - org.springframework.web.reactive.function.client.ExchangeFunctions: DEBUG - org.onap.ccsdk.oran.a1policymanagementservice: DEBUG + ROOT: ERROR + org.springframework: ERROR + org.springframework.data: ERROR + org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR + org.onap.ccsdk.oran.a1policymanagementservice: INFO file: name: /var/log/policy-agent/application.log server: # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. # See springboot documentation. - port: 8433 + #port: 8081 http-port: 8081 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false key-store-type: PKCS12 - key-store-password: ${KEYSTORE_PASSWORD} - key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 - key-password: ${KEYSTORE_PASSWORD} - key-alias: {{ .Values.certInitializer.fqi }} + key-store-password: "" + key-store: "" + key-password: "" + key-alias: "" app: # Location of the component configuration file. The file will only be used if the Consul database is not used; # configuration from the Consul will override the file. filepath: /opt/app/policy-agent/data/application_configuration.json webclient: - # Configuration of the trust store used for the HTTP client (outgoing requests) - # The file location and the password for the truststore is only relevant if trust-store-used == true - # Note that the same keystore as for the server is used. trust-store-used: false - trust-store-password: ${TRUSTSORE_PASSWORD} - trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks + trust-store-password: "" + trust-store: "" # Configuration of usage of HTTP Proxy for the southbound accesses. # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s http.proxy-host: diff --git a/kubernetes/a1policymanagement/resources/config/application_configuration.json b/kubernetes/a1policymanagement/resources/config/application_configuration.json index 757ee04f35..837ce0c5b8 100644 --- a/kubernetes/a1policymanagement/resources/config/application_configuration.json +++ b/kubernetes/a1policymanagement/resources/config/application_configuration.json @@ -3,27 +3,11 @@ "controller": [ { "name": "controller1", - "baseUrl": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.sdncLink .Values.sdncLinkHttp }}", + "baseUrl": "{{ .Values.sdncLink }}", "userName": "${A1CONTROLLER_USER}", "password": "${A1CONTROLLER_PASSWORD}" } ], - "ric": {{ include "a1p.generateRics" . | indent 6 | trim }}, - "streams_publishes": { - "dmaap_publisher": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamPublish }}" - } - } - }, - "streams_subscribes": { - "dmaap_subscriber": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamSubscribe }}" - } - } - } + "ric": {{ include "a1p.generateRics" . | indent 6 | trim}} } } diff --git a/kubernetes/a1policymanagement/templates/configmap.yaml b/kubernetes/a1policymanagement/templates/configmap.yaml index e84beac2ab..13dd4dbd05 100644 --- a/kubernetes/a1policymanagement/templates/configmap.yaml +++ b/kubernetes/a1policymanagement/templates/configmap.yaml @@ -18,7 +18,6 @@ apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-policy-conf +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "policy-conf" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml index 99449638f4..f12d60127f 100644 --- a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml +++ b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml @@ -17,7 +17,6 @@ */}} apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-envsubst-scripts +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "envsubst-scripts" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/envsubst/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/ingress.yaml b/kubernetes/a1policymanagement/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/a1policymanagement/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml index 89d131e26c..4458744a55 100644 --- a/kubernetes/a1policymanagement/templates/statefulset.yaml +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -28,9 +28,8 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-bootstrap-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -39,10 +38,6 @@ spec: args: - -c - | - {{- if (include "common.needTLS" .) }} - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ - | xargs -0) - {{- end }} cd /config-input for PFILE in `ls -1` do @@ -55,7 +50,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input - mountPath: /config @@ -97,10 +92,10 @@ spec: httpGet: path: /status port: {{ .Values.liveness.port }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: config mountPath: /opt/app/policy-agent/data/application_configuration.json subPath: application_configuration.json @@ -111,7 +106,7 @@ spec: mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-policy-conf-input configMap: name: {{ include "common.fullname" . }}-policy-conf diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 71d8852b53..9ae6b60626 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -30,40 +30,7 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: a1p-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: a1p - fqi: a1p@a1p.onap.org - public_fqdn: a1p.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.a1p - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - -image: onap/ccsdk-oran-a1policymanagementservice:1.3.2 +image: onap/ccsdk-oran-a1policymanagementservice:1.5.0 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID pullPolicy: IfNotPresent @@ -72,21 +39,25 @@ replicaCount: 1 service: type: NodePort name: a1policymanagement - both_tls_and_plain: true ports: - name: api - port: 8433 - plain_port: 8081 + port: 8081 port_protocol: http nodePort: '94' +ingress: + enabled: false + service: + - baseaddr: 'a1policymanagement-api' + name: 'a1policymanagement' + port: 8081 + # SDNC Credentials are used here a1controller: user: admin password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -sdncLink: https://sdnc.onap:8443 -sdncLinkHttp: http://sdnc.onap:8282 +sdncLink: http://sdnc.onap:8282 # The information about A1-Mediator/RICs can be added here. # The A1 policy management service supports both STD & OSC versions. # Alternatively, the A1 simulator from ORAN-SC can also be used. It provides STD & OSC versions for A1 termination. @@ -105,8 +76,6 @@ sdncLinkHttp: http://sdnc.onap:8282 # - kista3 # - kista4 rics: -streamPublish: http://message-router:3904/events/A1-POLICY-AGENT-WRITE -streamSubscribe: http://message-router:3904/events/A1-POLICY-AGENT-READ/users/policy-agent?timeout=15000&limit=100 liveness: port: api @@ -123,18 +92,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 300Mi + cpu: "2" + memory: "600Mi" requests: - cpu: 1 - memory: 150Mi + cpu: "1" + memory: "300Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} ## Persist data to a persistent volume diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore deleted file mode 100644 index 71fbb5cbb9..0000000000 --- a/kubernetes/aaf/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/sms/ -components/dist diff --git a/kubernetes/aaf/.helmignore b/kubernetes/aaf/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/aaf/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/aaf/Chart.yaml b/kubernetes/aaf/Chart.yaml deleted file mode 100644 index ef46ad605e..0000000000 --- a/kubernetes/aaf/Chart.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2018 ZTE -# Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework -name: aaf -version: 12.0.0 - -dependencies: - - name: aaf-cass - version: ~12.x-0 - repository: 'file://components/aaf-cass' - condition: aaf-authz.enabled - - name: aaf-cm - version: ~12.x-0 - repository: 'file://components/aaf-cm' - condition: aaf-authz.enabled - - name: aaf-fs - version: ~12.x-0 - repository: 'file://components/aaf-fs' - condition: aaf-authz.enabled - - name: aaf-gui - version: ~12.x-0 - repository: 'file://components/aaf-gui' - condition: aaf-authz.enabled - - name: aaf-locate - version: ~12.x-0 - repository: 'file://components/aaf-locate' - condition: aaf-authz.enabled - - name: aaf-oauth - version: ~12.x-0 - repository: 'file://components/aaf-oauth' - condition: aaf-authz.enabled - - name: aaf-service - version: ~12.x-0 - repository: 'file://components/aaf-service' - condition: aaf-authz.enabled - - name: aaf-sms - version: ~12.x-0 - repository: 'file://components/aaf-sms' - condition: aaf-sms.enabled - - name: aaf-sshsm - version: ~12.x-0 - repository: 'file://components/aaf-sshsm' - condition: aaf-sshsm.enabled diff --git a/kubernetes/aaf/Makefile b/kubernetes/aaf/Makefile deleted file mode 100644 index 75247b44b7..0000000000 --- a/kubernetes/aaf/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/Makefile b/kubernetes/aaf/components/Makefile deleted file mode 100644 index e1b6f31886..0000000000 --- a/kubernetes/aaf/components/Makefile +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -PROCESSED_FIRST := aaf-templates -TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) - -HELM_CHARTS := $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(PROCESSED_FIRST): - @echo "\n[$@]" - @make package-$@ - -$(HELM_CHARTS): $(PROCESSED_FIRST) - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-cass/.helmignore b/kubernetes/aaf/components/aaf-cass/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cass/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cass/Chart.yaml b/kubernetes/aaf/components/aaf-cass/Chart.yaml deleted file mode 100644 index 86dba6c827..0000000000 --- a/kubernetes/aaf/components/aaf-cass/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF cassandra -name: aaf-cass -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat deleted file mode 100644 index 8a923b2bff..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat +++ /dev/null @@ -1,74 +0,0 @@ -a1p@a1p.onap.org|a1p|local|/opt/app/osaaf/local||mailto:|org.onap.a1p|root|30|{'a1policymanagement.onap', 'a1policymanagement', 'a1policymanagement.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12'} -aaf@aaf.osaaf.org|aaf-hello|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf-hello', 'aaf-hello.api.simpledemo.onap.org', 'aaf-hello.onap', 'aaf.osaaf.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf', 'aaf.api.simpledemo.onap.org', 'aaf.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'} -aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'} -aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-graphadmin', 'aai-graphadmin.onap', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-schema-service@aai-schema-service.onap.org|aai-schema-service|local|/opt/app/osaaf/local||mailto:|org.onap.aai-schema-service|root|30|{'aai-schema-service', 'aai-schema-service.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'} -appc-cdt@appc-cdt.onap.org|appc-cdt|local|/opt/app/osaaf/local||mailto:|org.onap.appc-cdt|root|30|{'appc-cdt', 'appc-cdt.api.simpledemo.onap.org', 'appc-cdt.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -clamp@clamp.onap.org|clamp|local|/opt/app/osaaf/local||mailto:|org.onap.clamp|root|30|{'clamp', 'clamp-onap', 'clamp.api.simpledemo.onap.org', 'clamp.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -clamp@clamp.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.clamp|jg1555|30|{'clamp.api.simpledemo.onap.org', 'clamp.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -cli@cli.onap.org|cli|local|/opt/app/osaaf/local||mailto:|org.onap.cli|root|30|{'cli', 'cli.api.simpledemo.onap.org', 'cli.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'jks'} -dcae@dcae.onap.org|dcae|local|/opt/app/osaaf/local||mailto:|org.onap.dcae|root|60|{'bbs-event-processor', 'bbs-event-processor.onap', 'bbs-event-processor.onap.svc.cluster.local', 'config-binding-service', 'config-binding-service.onap', 'config-binding-service.onap.svc.cluster.local', 'dashboard', 'dashboard.onap', 'dashboard.onap.svc.cluster.local', 'dcae-cloudify-manager', 'dcae-cloudify-manager.onap', 'dcae-cloudify-manager.onap.svc.cluster.local', 'dcae-datafile-collector', 'dcae-datafile-collector.onap', 'dcae-datafile-collector.onap.svc.cluster.local', 'dcae-hv-ves-collector', 'dcae-hv-ves-collector.onap', 'dcae-hv-ves-collector.onap.svc.cluster.local', 'dcae-pm-mapper', 'dcae-pm-mapper.onap', 'dcae-pm-mapper.onap.svc.cluster.local', 'dcae-pmsh', 'dcae-pmsh.onap', 'dcae-pmsh.onap.svc.cluster.local', 'dcae-prh', 'dcae-prh.onap', 'dcae-prh.onap.svc.cluster.local', 'dcae-tca-analytics', 'dcae-tca-analytics.onap', 'dcae-tca-analytics.onap.svc.cluster.local', 'dcae-ves-collector', 'dcae-ves-collector.onap', 'dcae-ves-collector.onap.svc.cluster.local', 'deployment-handler', 'deployment-handler.onap', 'deployment-handler.onap.svc.cluster.local', 'holmes-engine-mgmt', 'holmes-engine-mgmt.onap', 'holmes-engine-mgmt.onap.svc.cluster.local', 'holmes-rule-mgmt', 'holmes-rules-mgmt.onap', 'holmes-rules-mgmt.onap.svc.cluster.local', 'inventory', 'inventory.onap', 'inventory.onap.svc.cluster.local', 'policy-handler', 'policy-handler.onap', 'policy-handler.onap.svc.cluster.local'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-bc@dmaap-bc.onap.org|dmaap-bc|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc|root|30|{'dmaap-bc', 'dmaap-bc.api.simpledemo.onap.org', 'dmaap-bc.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|dmaap-bc-mm-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-mm-prov|root|30|{'dmaap-bc-mm-prov', 'dmaap-bc-mm-prov.api.simpledemo.onap.org', 'dmaap-bc-mm-prov.onap', 'onap.dmaap-bc-mm-prov'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|dmaap-bc-topic-mgr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-topic-mgr|root|30|{'dmaap-bc-topic-mgr', 'dmaap-bc-topic-mgr.api.simpledemo.onap.org', 'dmaap-bc-topic-mgr.onap', 'onap.dmaap-bc-topic-mgr'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr@dmaap-dr.onap.org|dmaap-dr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr', 'dmaap-dr.api.simpledemo.onap.org', 'dmaap-dr.onap', 'onap.dmaap-dr'}|aaf_admin@osaaf.org|{'jks', 'script'} -dmaap-dr-node@dmaap-dr-node.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-node|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|mithril|local|/Volumes/Data/open/authz/auth/docker/dmaap_dr_node||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|mithril|local|/tmp/temp||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr-prov.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-prov|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-mr@dmaap-mr.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-mr|root|30|{'dmaap-mr', 'dmaap-mr.onap', 'message-router', 'message-router.onap', 'mr.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|10.12.25.177|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router', 'message-router.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router-kafka-0', 'message-router-kafka-0.onap', '{{include "common.release" .}}-message-router-kafka-0.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-1', 'message-router-kafka-1.onap', '{{include "common.release" .}}-message-router-kafka-1.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-2', 'message-router-kafka-2.onap', '{{include "common.release" .}}-message-router-kafka-2.message-router-kafka.onap.svc.cluster.local', 'message-router', 'mr.api.simpledemo.onap.org', 'message-router.onap', 'dmaapmr dmaap.mr', 'dmaap-mr', 'dmaap.mr.onap', 'dmaap-mr.onap', 'dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -holmes@holmes.onap.org|holmes|local|/opt/app/osaaf/local||mailto:|org.onap.holmes|root|30|{'holmes.api.simpledemo.onap.org', 'holmes.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|holmes-rule-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-rule-mgmt|root|30|{'holmes-rule-mgmt', 'holmes-rule-mgmt.api.simpledemo.onap.org', 'holmes-rule-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|holmes-engine-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-engine-mgmt|root|30|{'holmes-engine-mgmt', 'holmes-engine-mgmt.api.simpledemo.onap.org', 'holmes-engine-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -msb-eag@msb-eag.onap.org|msb-eag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-eag|root|30|{'msb-eag', 'msb-eag.api.simpledemo.onap.org', 'msb-eag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -msb-iag@msb-iag.onap.org|msb-iag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-iag|root|30|{'msb-iag', 'msb-iag.api.simpledemo.onap.org', 'msb-iag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -music@music.onap.org|music|aaf|/opt/app/aaf/local||mailto:|org.onap.music|root|30|{'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'pkcs12', 'script'} -music@music.onap.org|music.onap|local|/opt/app/osaaf/local||mailto:|org.onap.music|root|30|{'music-api', 'music-api.onap', 'music-onap', 'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -nbi@nbi.onap.org|nbi|local|/opt/app/osaaf/local||mailto:|org.onap.nbi|root|30|{'nbi', 'nbi.api.simpledemo.onap.org', 'nbi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -ngi@ngi.onap.org|ngi|local|/opt/app/osaaf/local||mailto:|org.onap.ngi|root|30|{'ngi.api.simpledemo.onap.org', 'ngi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -oof@oof.onap.org|oof.api.simpledemo.onap.org|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof.onap|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-cmso', 'oof-cmso-optimizer', 'oof-cmso-ticketmgt', 'oof-cmso-topology', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -policy@policy.onap.org|policy|local|/opt/app/osaaf/local||mailto:|org.onap.policy|root|60|{'policy-drools-pdp', 'policy-drools-pdp.onap', 'policy', 'policy-apex-pdp', 'policy-apex-pdp.onap', 'policy-api', 'policy-api.onap', 'policy-distribution', 'policy-distribution.onap', 'policy-pap', 'policy-pap.onap', 'policy-xacml-pdp', 'policy-xacml-pdp.onap', 'policy.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -pomba@pomba.onap.org|onap.pomba|local|/opt/app/osaaf/local||mailto:|org.onap.pomba|root|30|{'onap.pomba', 'onap_pomba', 'pomba', 'pomba.api.simpledemo.onap.org', 'pomba.onap', 'pomba_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -portal@portal.onap.org|portal|local|/opt/app/osaaf/local||mailto:|org.onap.portal|root|30|{'onap.portal', 'onap_portal', 'portal', 'portal-app', 'portal.api.simpledemo.onap.org', 'portal.onap', 'portal_onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -refrepo@refrepo.onap.org|refrepo|local|/opt/app/osaaf/local||mailto:|org.onap.refrepo|root|30|{'refrepo', 'refrepo.api.simpledemo.onap.org', 'refrepo.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -sdc@sdc.onap.org|sdc-fe.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|30|{'sdc-fe.onap', 'sdc.api.simpledemo.onap.org', 'sdc.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdnc-cds@sdnc-cds.onap.org|sdnc-cds|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc-cds|root|30|{'c1.vm1.sdnc-cds.simpledemo.onap', 'c2.vm1.sdnc-cds.simpledemo.onap', 'c3.vm1.sdnc-cds.simpledemo.onap', 'c4.vm1.sdnc-cds.simpledemo.onap', 'onap-sdnc-cds', 'onap-sdnc-cds.onap', 'sdnc-cds', 'sdnc-cds.api.simpledemo.onap.org', 'sdnc-cds.onap', 'vm1.sdnc-cds.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -sdnc@sdnc.onap.org|ccsdk-sdnc-heat-dev|local|/home/ubuntu/cert||mailto:|org.onap.sdnc|ubuntu|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -sdnc@sdnc.onap.org|sdnc|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc|root|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -shi@shi.onap.org|onap.shi|local|/opt/app/osaaf/local||mailto:|onap.shi|root|30|{'onap_shi', 'shi', 'shi.api.simpledemo.onap.org', 'shi_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -so@so.onap.org|aai-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'aai-simulator', 'localhost'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|bpmn-infra|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'bpmn-infra', 'bpmn-infra.onap'}|mmanager@osaaf.org|{'pkcs12'} -so@so.onap.org|sdc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|sdnc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdnc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-apih|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30|{'mso-asdc-controller-svc', 'mso-bpmn-infra-svc', 'mso-catalog-db-adapter-svc', 'mso-openstack-adapter-svc', 'mso-request-db-adapter-svc', 'mso-sdnc-adapter-svc'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so-client|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30||mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -so@so.onap.org|so-vnfm-adapter|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-adapter', 'so-vnfm-adapter.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-vnfm-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-simulator', 'so-vnfm-simulator.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -tester1@test.portal.onap.org|tester1|aaf|/||mailto:|org.onap.portal.test|root|30||@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -vfc@vfc.onap.org|vfc|local|/opt/app/osaaf/local||mailto:|org.onap.vfc|root|30|{'vfc.api.simpledemo.onap.org vfc.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid1@vid1.onap.org|vid1|local|/opt/app/osaaf/local||mailto:|org.onap.vid1|root|30|{'onap', 'onap.vid1', 'vid1', 'vid1.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid2@vid2.onap.org|vid2|local|/opt/app/osaaf/local||mailto:|org.onap.vid2|root|30|{'onap.vid2', 'vid2', 'vid2.api.simpledemo.onap.org', 'vid2.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid@vid.onap.org|vid|local|/opt/app/osaaf/local||mailto:|org.onap.vid|root|30|{'vid.api.simpledemo.onap.org', 'vid.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12'} -uui@uui.onap.org|uui|local|/opt/app/osaaf/local||mailto:|org.onap.uui|root|30|{'uui', 'uui.api.simpledemo.onap.org', 'uui.onap','uui-server', 'uui-server.api.simpledemo.onap.org', 'uui-server.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat deleted file mode 100644 index 18b5c90fd6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat +++ /dev/null @@ -1,10 +0,0 @@ -aaf|aaf_env|DEV -aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.introspect:2.1/introspect -aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.token:2.1/token -aaf|aaf_url_cm|https://AAF_LOCATE_URL/%CNS.%AAF_NS.cm:2.1 -aaf|aaf_url_fs|https://AAF_LOCATE_URL/%CNS.%AAF_NS.fs:2.1 -aaf|aaf_url_gui|https://AAF_LOCATE_URL/%CNS.%AAF_NS.gui:2.1 -aaf|aaf_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.service:2.1 -aaf|aaf_url_oauth|https://AAF_LOCATE_URL/%CNS.%AAF_NS.oauth:2.1 -aaf|cadi_protocols|TLSv1.1,TLSv1.2 -aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat deleted file mode 100644 index 1279c363b5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat +++ /dev/null @@ -1,59 +0,0 @@ -portal@portal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.portal|53344|| -shi@shi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.shi|53344|| -a1p@a1p.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.a1p|53344|| -aaf@aaf.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.aaf|53344|| -aaf-sms@aaf-sms.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aaf-sms|53344|| -clamp@clamp.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.clamp|53344|| -aai@aai.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai|53344|| -aai-resources@aai-resources.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-resources|53344|| -aai-schema-service@aai-schema-service.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-schema-service|53344|| -aai-traversal@aai-traversal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-traversal|53344|| -appc@appc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc|53344|| -appc-cdt@appc-cdt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc-cdt|53344|| -cli@cli.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.cli|53344|| -dcae@dcae.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dcae|53344|| -oof@oof.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.oof|53344|| -so@so.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.so|53344|| -sdc@sdc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdc|53344|| -sdnc@sdnc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc|53344|| -sdnc-cds@sdnc-cds.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc-cds|53344|| -vfc@vfc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vfc|53344|| -policy@policy.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.policy|53344|| -pomba@pomba.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.pomba|53344|| -holmes@holmes.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes|53344|| -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-engine-mgmt|53344|| -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-rule-mgmt|53344|| -nbi@nbi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.nbi|53344|| -msb-eag@msb-eag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-eag|53344|| -msb-iag@msb-iag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-iag|53344|| -music@music.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.music|53344|| -refrepo@refrepo.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.refrepo|53344|| -vid@vid.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid|53344|| -vid1@vid1.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid1|53344|| -vid2@vid2.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid2|53344|| -dmaap-bc@dmaap-bc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc|53344|| -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-topic-mgr|53344|| -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-mm-prov|53344|| -dmaap-dr@dmaap-dr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr|53344|| -dmaap-dr-prov@dmaap-dr-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-prov|53344|| -dmaap-dr-node@dmaap-dr-node.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-node|53344|| -dmaap-mr@dmaap-mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-mr|53344|| -dmaapmr@dmaapmr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaapmr|53344|| -#dmaap.mr@#dmaap.mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.mr.#dmaap|53344|| -iowna@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmanager@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -bdevl@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmarket@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -demo@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jh0003@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -cs0008@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jm0007@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -op0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gv0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -pm0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gs0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -ps0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -aaf_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -deployer@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -portal_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -uui@uui.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.uui|53344|| diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat deleted file mode 100644 index 7d20d55c31..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat +++ /dev/null @@ -1,88 +0,0 @@ -org.onap.a1p||org.onap||3 -org.onap.aaf-sms||org.onap||3 -org.onap.aai||org.onap||3 -org.onap.aai-resources||org.onap||3 -org.onap.aai-schema-service||org.onap||3 -org.onap.aai-traversal||org.onap||3 -org.onap.appc||org.onap||3 -org.onap.appc-cdt||org.onap||3 -org.onap.cds||org.onap||3 -org.onap.clampdemo|Onap clamp demo NS|org.onap|2|2 -org.onap.clamp||org.onap||3 -org.onap.clamptest|Onap clamp test NS|org.onap|2|2 -org.onap.cli||org.onap||3 -org.onap.dcae||org.onap||3 -org.onap.dmaap-bc.api||org.onap.dmaap-bc||3 -org.onap.dmaap-bc-mm-prov||org.onap||3 -org.onap.dmaap-bc||org.onap||3 -org.onap.dmaap.bc||org.onap||3 -org.onap.dmaapbc||org.onap||3 -org.onap.dmaap-bc-topic-mgr||org.onap||3 -org.onap.dmaap-dr||org.onap||3 -org.onap.dmaap.mr.aNewTopic-123450||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-123451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-1547667570||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547665517||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666628||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666760||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666950||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547667031||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123456||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123457||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660509||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660861||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547661011||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662122||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664813||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664928||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547666068||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTopic-1547654909||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl_ready||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-12345||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-1547839476||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.mirrormakeragent||org.onap.dmaap.mr||3 -org.onap.dmaap-mr||org.onap||3 -org.onap.dmaap.mr||org.onap||3 -org.onap.dmaap.mr.partitionTest-1546033194||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PM_MAPPER||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_READY||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_REGISTRATION||org.onap.dmaap.mr||3 -org.onap.dmaap-mr.sunil||org.onap.dmaap-mr||3 -org.onap.dmaap-mr.test||org.onap.dmaap-mr||3 -org.onap.dmaap.mr.topic-000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-001||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-002||org.onap.dmaap.mr||3 -org.onap.dmaap||org.onap||3 -org.onap.holmes||org.onap||3 -org.onap.holmes-engine-mgmt||org.onap||3 -org.onap.holmes-rule-mgmt||org.onap||3 -org.onap.music||org.onap||3 -org.onap.msb-eag||org.onap||3 -org.onap.msb-iag||org.onap||3 -org.onap.nbi||org.onap||3 -org.onap|ONAP|org|2|2 -org.onap.oof||org.onap||3 -org.onap.policy||org.onap||3 -org.onap.pomba||org.onap||3 -org.onap.portal|ONAP Portal|org.onap.portal|3|3 -org.onap.portal.test||org.onap.portal||3 -org.onap.refrepo||org.onap||3 -org.onap.sdc||org.onap||3 -org.onap.sdnc-cds||org.onap||3 -org.onap.sdnc||org.onap||3 -org.onap.so||org.onap||3 -org.onap.vfc||org.onap||3 -org.onap.vid1||org.onap||3 -org.onap.vid2||org.onap||3 -org.onap.vid||org.onap||3 -org.onap.uui||org.onap||3 -org.openecomp.dcae|DCAE Namespace Org|org.openecomp|3|3 -org.openecomp.dmaapBC|DMaap NS|org.openecomp|3|3 -org.openecomp|Open EComp NS|org|2|2 -org.osaaf.aaf|Application Authorization Framework|org.osaaf|3|3 -org.osaaf|OSAAF Namespace|org|2|2 -org.osaaf.people||org.osaaf||3 -org|Root Namespace|.|1|1 diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat deleted file mode 100644 index 89c726f9ec..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ /dev/null @@ -1,547 +0,0 @@ -org|access|*|*|Org Write Access|{'org.admin'} -org|access|*|read,approve|Org Read Access|{'org.owner'} -org|access|*|read|Org Read Access|{'org.owner'} -org.onap.a1p|access|*|*|AAF Namespace Write Access|"{'org.onap.a1p|admin', 'org.onap.a1p|service'}" -org.onap.a1p|access|*|read|AAF Namespace Read Access|"{'org.onap.a1p|owner'}" -org.onap.a1p|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aaf-sms|access|*|*|AAF Namespace Write Access|"{'org.onap.aaf-sms|admin'}" -org.onap.aaf-sms|access|*|read|AAF Namespace Read Access|"{'org.onap.aaf-sms|owner'}" -org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|access|*|*|AAF Namespace Write Access|"{'org.onap.aai|admin'}" -org.onap.aai|access|*|read|AAF Namespace Read Access|"{'org.onap.aai|owner'}" -org.onap.aai|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|resources|*|delete||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|get||"{'org.onap.aai|resources_all', 'org.onap.aai|resources_readonly'}" -org.onap.aai|resources|*|patch||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|post||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|put||"{'org.onap.aai|resources_all'}" -org.onap.aai|traversal|*|advanced||"{'org.onap.aai|traversal_advanced'}" -org.onap.aai|traversal|*|basic||"{'org.onap.aai|traversal_basic'}" -org.onap.aai-resources|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-resources|admin', 'org.onap.aai-resources|service'}" -org.onap.aai-resources|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-resources|owner'}" -org.onap.aai-resources|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-schema-service|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-schema-service|admin', 'org.onap.aai-schema-service|service'}" -org.onap.aai-schema-service|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-schema-service|owner'}" -org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-traversal|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-traversal|admin', 'org.onap.aai-traversal|service'}" -org.onap.aai-traversal|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-traversal|owner'}" -org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap|access|*|*|Onap Write Access|{'org.onap.admin'} -org.onap|access|*|read|Onap Read Access|{'org.onap.owner'} -org.onap.appc|access|*|*|AAF Namespace Write Access|"{'org.onap.appc|admin', 'org.onap.appc|service'}" -org.onap.appc|access|*|read|AAF Namespace Read Access|"{'org.onap.appc|owner'}" -org.onap.appc|apidoc|/apidoc/.*|ALL||"{'org.onap.appc|apidoc'}" -org.onap.appc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.appc|odl|odl-api|*|Appc ODL API Access|"{'org.onap.appc.odl', 'org.onap.appc|admin'}" -org.onap.appc|restconf|/restconf/.*|ALL||"{'org.onap.appc|restconf'}" -org.onap.appc-cdt|access|*|*|AAF Namespace Write Access|"{'org.onap.appc-cdt|admin', 'org.onap.appc-cdt|service'}" -org.onap.appc-cdt|access|*|read|AAF Namespace Read Access|"{'org.onap.appc-cdt|owner'}" -org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.cds|access|*|*|AAF Namespace Write Access|"{'org.onap.cds|admin'}" -org.onap.cds|access|*|read|AAF Namespace Read Access|"{'org.onap.cds|owner'}" -org.onap.clamp|access|*|*|AAF Namespace Write Access|"{'org.onap.clamp|admin', 'org.onap.clamp|service'}" -org.onap.clamp|access|*|read|Onap Clamp Read Access|{'org.onap.clamp.owner'} -org.onap.clamp|certman|local|request,ignoreIPs,showpass||"{'org.onap.clamp|admin', 'org.onap.clamp|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.clamp|clds.cl|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.cl|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl.event|dev|*|Onap Clamp Dev Write Access|{'org.onap.clamp.clds.designer.dev'} -org.onap.clamp|clds.cl.manage|dev|*|Onap Clamp Dev Manage Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.filter.vf|dev|*|Onap Clamp Filter All Dev Access|"{'org.onap.clamp.clds.vf_filter_all.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}" -org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'} -org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'} -org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'} -org.onap.clamptest|access|*|read|Onap Read Access|{'org.onap.clamptest.owner'} -org.onap.cli|access|*|*|AAF Namespace Write Access|"{'org.onap.cli|admin', 'org.onap.cli|service'}" -org.onap.cli|access|*|read|AAF Namespace Read Access|"{'org.onap.cli|owner'}" -org.onap.cli|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dcae|access|*|*|AAF Namespace Write Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc-topic-mgr|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dcae|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|owner'}" -org.onap.dcae|certman|local|request,ignoreIPs,showpass||"{'org.onap.dcae|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dcae|dmaap.topicFactory|:com.att.dcae.dmaap.FTL.mr.topic:com.att.dcae.dmaap.FTL|create|| -org.onap.dcae|dmaap.topicFactory|:null.FTL.mr.topic:null.FTL|create|| -org.onap.dmaap|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap|admin'}" -org.onap.dmaap|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap|owner'}" -org.onap.dmaap-bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|admin'}" -org.onap.dmaapbc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaapbc|admin'}" -org.onap.dmaap.bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.bc|admin', 'org.onap.dmaap.bc|service'}" -org.onap.dmaap-bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc|owner'}" -org.onap.dmaap.bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.bc|owner'}" -org.onap.dmaapbc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaapbc|owner'}" -org.onap.dmaap-bc.api|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc.api|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dmaap-bc.api|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc.api|owner', 'org.onap.dmaap-bc|admin', 'org.onap.dmaap-bc|service'}" -org.onap.dmaap-bc.api|bridge|onapdemo|GET||"{'org.onap.dmaap-bc.api|Metrics'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|GET||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|topics|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|topics|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-bc|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-mm-prov|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-mm-prov|admin'}" -org.onap.dmaap-bc-mm-prov|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-mm-prov|owner'}" -org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-topic-mgr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-topic-mgr|admin'}" -org.onap.dmaap-bc-topic-mgr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-topic-mgr|owner'}" -org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-dr|admin'}" -org.onap.dmaap-dr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-dr|owner'}" -org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-dr|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|feed|*|approveSub||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap|dr.feed|*|create|| -org.onap.dmaap-dr|feed|*|create||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|delete||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|edit||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|publish||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|restore||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|subscribe||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|suspend||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|sub|*|delete||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|edit||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|publish||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|restore||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|suspend||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap.mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|admin'}" -org.onap.dmaap-mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr|admin'}" -org.onap.dmaap-mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr|owner'}" -org.onap.dmaap.mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr|owner', 'org.onap.dmaap.mr|service'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123450|admin'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123450|owner'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123451|admin'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123451|owner'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|admin'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|owner'}" -org.onap.dmaap.mr.aNewTopic-|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-|admin'}" -org.onap.dmaap.mr.aNewTopic-|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-|owner'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547665517|admin'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547665517|owner'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666628|admin'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666628|owner'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666760|admin'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666760|owner'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666950|admin'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666950|owner'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547667031|admin'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547667031|owner'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123456|admin'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123456|owner'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123457|admin'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123457|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|owner'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|admin'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|owner'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|admin'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|owner'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTopic-1547654909|admin'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTopic-1547654909|owner'}" -org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr.dgl000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl000|admin'}" -org.onap.dmaap.mr.dgl000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl000|owner'}" -org.onap.dmaap.mr.dgl_ready|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl_ready|admin'}" -org.onap.dmaap.mr.dgl_ready|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl_ready|owner'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|admin'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|owner'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|admin'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|owner'}" -org.onap.dmaap.mr|mirrormaker|*|admin||"{'org.onap.dmaap.mr|mirrormaker.admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.mirrormakeragent|admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.mirrormakeragent|owner'}" -org.onap.dmaap.mr|mirrormaker|*|user||"{'org.onap.dmaap.mr|mirrormaker.user'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|admin'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|owner'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PM_MAPPER|admin'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PM_MAPPER|owner'}" -org.onap.dmaap.mr.PNF_READY|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_READY|admin'}" -org.onap.dmaap.mr.PNF_READY|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_READY|owner'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|admin'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|owner'}" -org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr|admin', 'org.onap.dmaap-mr|sai'}" -org.onap.dmaap-mr.sunil|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.sunil|admin'}" -org.onap.dmaap-mr.sunil|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.sunil|owner'}" -org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr.sunil|admin2'}" -org.onap.dmaap-mr.test|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.test|admin'}" -org.onap.dmaap-mr.test|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.test|owner'}" -org.onap.dmaap.mr.topic-000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-000|admin'}" -org.onap.dmaap.mr.topic-000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-000|owner'}" -org.onap.dmaap.mr.topic-001|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-001|admin'}" -org.onap.dmaap.mr.topic-001|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-001|owner'}" -org.onap.dmaap.mr.topic-002|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-002|admin'}" -org.onap.dmaap.mr.topic-002|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-002|owner'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr|topic|*|*||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topictest|*|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub||"{'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub||"{'org.onap.dmaap.mr.dgl_ready|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub||"{'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view||"{'org.onap.dmaap.mr.dgl_ready|publisher', 'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1529190699|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest201810100530|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub||"{'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher', 'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher', 'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr.mirrormakeragent|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view||"{'org.onap.dmaap.mr.mirrormakeragent|publisher', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|pub||"{'org.onap.dmaap.mr|mmagent.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub||"{'org.onap.dmaap.mr|mmagent.sub', 'org.onap.dmaap.mr|mmagent.sub1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtest|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub||"{'org.onap.dmaap.mr|mrtesttopic.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub||"{'org.onap.dmaap.mr|mrtesttopic.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dmaap.mr.PM_MAPPER|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view||"{'org.onap.dmaap.mr.PM_MAPPER|publisher', 'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub||"{'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher', 'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher', 'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub||"{'org.onap.dmaap.mr|test1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub||"{'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher', 'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub||"{'org.onap.dmaap.mr.topic-001|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub||"{'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view||"{'org.onap.dmaap.mr.topic-001|publisher', 'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub||"{'org.onap.dmaap.mr.topic-002|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub||"{'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view||"{'org.onap.dmaap.mr.topic-002|publisher', 'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|*|view||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|view'}" -org.onap.dmaap.mr|viewtest|*|view||"{'org.onap.dmaap.mr|viewtest'}" -org.onap.holmes|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes|admin'}" -org.onap.holmes|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes|owner'}" -org.onap.holmes-engine-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|service'}" -org.onap.holmes-engine-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-engine-mgmt|owner'}" -org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.holmes-rule-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|service'}" -org.onap.holmes-rule-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-rule-mgmt|owner'}" -org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.msb-eag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-eag|admin', 'org.onap.msb-eag|service'}" -org.onap.msb-eag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-eag|owner'}" -org.onap.msb-eag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.msb-iag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-iag|admin', 'org.onap.msb-iag|service'}" -org.onap.msb-iag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-iag|owner'}" -org.onap.msb-iag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.music|access|*|*|AAF Namespace Write Access|"{'org.onap.music|admin'}" -org.onap.music|access|*|read|AAF Namespace Read Access|"{'org.onap.music|owner'}" -org.onap.music|certman|local|request,ignoreIPs,showpass||"{'org.onap.music|admin', 'org.osaaf.aaf|deploy'}" -org.onap.nbi|access|*|*|AAF Namespace Write Access|"{'org.onap.nbi|admin', 'org.onap.nbi|service'}" -org.onap.nbi|access|*|read|AAF Namespace Read Access|"{'org.onap.nbi|owner'}" -org.onap.nbi|certman|local|request,ignoreIPs,showpass||"{'org.onap.nbi|admin', 'org.onap.nbi|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.ngi|access|*|*|AAF Namespace Write Access|"{'org.onap.ngi|admin'}" -org.onap.ngi|access|*|read|AAF Namespace Read Access|"{'org.onap.ngi|owner'}" -org.onap.oof|access|*|*|AAF Namespace Write Access|"{'org.onap.oof|admin'}" -org.onap.oof|access|*|read|AAF Namespace Read Access|"{'org.onap.oof|owner'}" -org.onap.oof|certman|local|request,ignoreIPs,showpass||"{'org.onap.oof|admin', 'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.policy|access|*|*|AAF Namespace Write Access|"{'org.onap.policy|admin', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|access|*|read|AAF Namespace Read Access|"{'org.onap.policy|owner', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|certman|local|request,ignoreIPs,showpass||"{'org.onap.policy|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.policy|menu|menu_admin|*|Admin Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_ajax|*|Ajax Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_concept|*|CoNCEPT| -org.onap.policy|menu|menu_customer_create|*|Customer Create|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_customer|*|Customer Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_doclib|*|Document Library Menu| -org.onap.policy|menu|menu_feedback|*|Feedback Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_help|*|Help Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_home|*|Home Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_itracker|*|iTracker Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_create|*|Job Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_designer|*|Process in Designer view| -org.onap.policy|menu|menu_job|*|Job Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_logout|*|Logout Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_map|*|Map Menu|"{'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_notes|*|Notes Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_policy|*|Policy|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_process|*|Process List|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_create|*|Profile Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_import|*|Profile Import|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile|*|Profile Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_reports|*|Reports Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_task_search|*|Task Search| -org.onap.policy|menu|menu_task|*|Task Menu| -org.onap.policy|menu|menu_test|*|Test Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|pdpd.healthcheck.configuration|*|get||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.healthcheck|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|delete||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|post||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|put||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpx.config|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.decision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfigByPolicyName|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDecision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getMetrics|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.list|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.policyEngineImport|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.pushPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.sendEvent|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updateDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updatePolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|url|doclib_admin|*|Document Library Admin|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|doclib|*|Document Library|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|login|*|Login|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|url|policy_admin|*|Policy Admin|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dashboard|*|Policy Dashboard|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dictionary|*|Policy Dictionary|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_editor|*|Policy Editor|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_pdp|*|Policy PDP|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_push|*|Policy Push|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_roles|*|Policy Roles|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|view_reports|*|View Raptor reports| -org.onap.pomba|access|*|*|AAF Namespace Write Access|"{'org.onap.pomba|admin'}" -org.onap.pomba|access|*|read|AAF Namespace Read Access|"{'org.onap.pomba|owner'}" -org.onap.pomba|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|access|*|*|Portal Write Access|{'org.onap.portal.admin'} -org.onap.portal|access|*|read|Portal Read Access| -org.onap.portal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|menu|menu_acc_admin|*|Admin Account Menu|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_admin|*|Admin Menu|"{'org.onap.portal|System_Administrator', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_ajax|*|Ajax Menu| -org.onap.portal|menu|menu_customer_create|*|Customer Create| -org.onap.portal|menu|menu_customer|*|Customer Menu| -org.onap.portal|menu|menu_feedback|*|Feedback Menu| -org.onap.portal|menu|menu_help|*|Help Menu| -org.onap.portal|menu|menu_home|*|Home Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_job_create|*|Job Create| -org.onap.portal|menu|menu_job_designer|*|Process in Designer view| -org.onap.portal|menu|menu_job|*|Job Menu| -org.onap.portal|menu|menu_logout|*|Logout Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_map|*|Map Menu| -org.onap.portal|menu|menu_notes|*|Notes Menu| -org.onap.portal|menu|menu_process|*|Process List| -org.onap.portal|menu|menu_profile_create|*|Profile Create| -org.onap.portal|menu|menu_profile_import|*|Profile Import| -org.onap.portal|menu|menu_profile|*|Profile Menu| -org.onap.portal|menu|menu_reports|*|Reports Menu| -org.onap.portal|menu|menu_sample|*|Sample Pages Menu| -org.onap.portal|menu|menu_tab|*|Sample Tab Menu| -org.onap.portal|menu|menu_task_search|*|Task Search|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_task|*|Task Menu|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_web_analytics|*|Web Analytics|"{'org.onap.portal|Portal_Usage_Analyst', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal.test|aaaa|*|write|| -org.onap.portal.test|access1|*|read|| -org.onap.portal.test|access|*|*|AAF Namespace Write Access|"{'org.onap.portal.test|admin'}" -org.onap.portal.test|access|*|read|AAF Namespace Read Access|"{'org.onap.portal.test|owner'}" -org.onap.portal.test|myaccess|*|read|| -org.onap.portal.test|user1.access|*|read|| -org.onap.portal.test|user1.myaccess|*|read|| -org.onap.portal|url|addWebAnalyticsReport|*|Add Web Analytics Report| -org.onap.portal|url|appsFullList|*|Apps Full List| -org.onap.portal|url|centralizedApps|*|Centralized Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|edit_notification|*|User Notification|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|functionalMenu|*|Functional Menu| -org.onap.portal|url|getAdminNotifications|*|Admin Notifications|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|getAllWebAnalytics|*|Get All Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getFunctionalMenuRole|*|Get Functional Menu Role|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getNotificationAppRoles|*|Get Notification App Roles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_role_functions%2f%2a|*|Get Role Functions|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_roles%2f%2a|*|getRolesOfApp|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserAppsWebAnalytics|*|Get User Apps Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserJourneyAnalyticsReport|*|Get User Journey Report|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|login|*|Login|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|url|notification_code|*|Notification Code|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*|Save Role Function|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|saveNotification|*|publish notifications|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|syncRoles|*|SyncRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|url_role.htm|*|role page| -org.onap.portal|url|url_welcome.htm|*|welcome page| -org.onap.portal|url|userAppRoles|*|userAppRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|userApps|*|User Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|view_reports|*|View Raptor reports| -org.onap.refrepo|access|*|*|AAF Namespace Write Access|"{'org.onap.refrepo|admin', 'org.onap.refrepo|service'}" -org.onap.refrepo|access|*|read|AAF Namespace Read Access|"{'org.onap.refrepo|owner'}" -org.onap.refrepo|certman|local|request,ignoreIPs,showpass||"{'org.onap.refrepo|admin', 'org.onap.refrepo|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdc|admin'}" -org.onap.sdc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdc|owner'}" -org.onap.sdc|administrator.access|*|*||"{'org.onap.sdc|admin'}" -org.onap.sdc|certman|local|request,ignoreIPs,showpass||"{'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|designer.access|*|*||"{'org.onap.sdc|designer'}" -org.onap.sdc|governance.access|*|*||"{'org.onap.sdc|governor'}" -org.onap.sdc|operations.access|*|*||"{'org.onap.sdc|ops'}" -org.onap.sdc|tester.access|*|*||"{'org.onap.sdc|tester'}" -org.onap.sdnc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc|admin'}" -org.onap.sdnc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc|owner'}" -org.onap.sdnc-cds|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc-cds|admin', 'org.onap.sdnc-cds|service'}" -org.onap.sdnc-cds|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc-cds|owner'}" -org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|odl|odl-api|create||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|delete||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|*||"{'org.onap.sdnc|admin', 'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|read||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|update||"{'org.onap.sdnc|service'}" -org.onap.so|access|*|*|AAF Namespace Write Access|"{'org.onap.so|admin', 'org.onap.so|app'}" -org.onap.so|access|*|read|AAF Namespace Read Access|"{'org.onap.so|owner'}" -org.onap.so|certman|local|request,ignoreIPs,showpass||"{'org.onap.so|admin', 'org.onap.so|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.vfc|access|*|*|AAF Namespace Write Access|"{'org.onap.vfc|admin', 'org.onap.vfc|service'}" -org.onap.vfc|access|*|read|AAF Namespace Read Access|"{'org.onap.vfc|owner'}" -org.onap.vfc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid1|access|*|*|AAF Namespace Write Access|"{'org.onap.vid1|admin'}" -org.onap.vid1|access|*|read|AAF Namespace Read Access|"{'org.onap.vid1|owner'}" -org.onap.vid1|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid2|access|*|*|AAF Namespace Write Access|"{'org.onap.vid2|admin'}" -org.onap.vid2|access|*|read|AAF Namespace Read Access|"{'org.onap.vid2|owner'}" -org.onap.vid2|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|access|*|*|AAF Namespace Write Access|"{'org.onap.vid|admin'}" -org.onap.vid|access|*|read|AAF Namespace Read Access|"{'org.onap.vid|owner'}" -org.onap.vid|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|menu|menu_admin|*|Admin Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_ajax|*|Ajax Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_changemanagement|*|VNF Changes|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_concept|*|CoNCEPT| -org.onap.vid|menu|menu_customer_create|*|Customer Create|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_customer|*|Customer Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_doclib|*|Document Library Menu| -org.onap.vid|menu|menu_feedback|*|Feedback Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_help|*|Help Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_home|*|Home Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_itracker|*|iTracker Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_create|*|Job Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_designer|*|Process in Designer view| -org.onap.vid|menu|menu_job|*|Job Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_logout|*|Logout Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_map|*|Map Menu|"{'org.onap.vid|Standard_User'}" -org.onap.vid|menu|menu_newserinstance|*|Create New Service Instance|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_notes|*|Notes Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_process|*|Process List|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_create|*|Profile Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_import|*|Profile Import|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile|*|Profile Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_reports|*|Reports Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_searchexisting|*|Search for Existing Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_servicemodels|*|Browse SDC Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_task_search|*|Task Search| -org.onap.vid|menu|menu_task|*|Task Menu| -org.onap.vid|menu|menu_test|*|Test Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_viewlog|*|Log Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib_admin|*|Document Library Admin|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib|*|Document Library|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|login|*|Login|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|view_reports|*|View Raptor reports| -org.onap.uui|access|*|*|AAF Namespace Write Access|"{'org.onap.uui|admin', 'org.onap.uui|service'}" -org.onap.uui|access|*|read|AAF Namespace Read Access|"{'org.onap.uui|owner'}" -org.onap.uui|certman|local|request,ignoreIPs,showpass||"{'org.onap.uui|admin', 'org.onap.uui|seeCerts', 'org.osaaf.aaf|deploy'}" -org.openecomp|access|*|*|OpenEcomp Write Access|{'org.openecomp.admin'} -org.openecomp|access|*|read|OpenEcomp Read Access|{'org.openecomp.owner'} -org.openecomp.dmaapBC|access|*|*|DMaap Write Access|{'org.openecomp.dmaapBC.admin'} -org.openecomp.dmaapBC|access|*|read|DMaap Read Access|{'org.openecomp.dmaapBC.owner'} -org.osaaf.aaf|access|*|*|AAF Write Access|{'org.osaaf.aaf.admin'} -org.osaaf.aaf|access|*|read,approve|AAF Read Access|{'org.osaaf.aaf.owner'} -org.osaaf.aaf|cache|all|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|cache|*|clear||"{'org.osaaf.aaf|admin', 'org.osaaf.aaf|service'}" -org.osaaf.aaf|cache|role|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.osaaf.aaf|password|*|create,reset||"{'org.osaaf.aaf|admin'}" -org.osaaf|access|*|*|OSAAF Write Access|{'org.osaaf.admin'} -org.osaaf|access|*|read,appove|OSAAF Read Access|{'org.osaaf.owner'} -org.osaaf.people|access|*|*|AAF Namespace Write Access|"{'org.osaaf.people|admin'}" -org.osaaf.people|access|*|read|AAF Namespace Read Access|"{'org.osaaf.people|owner'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat deleted file mode 100644 index 111b94e6a8..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ /dev/null @@ -1,352 +0,0 @@ -org|admin|Org Admins|"{'org.access|*|*'}" -org.onap.a1p|admin|AAF Namespace Administrators|"{'org.onap.a1p|access|*|*'}" -org.onap.a1p|owner|AAF Namespace Owners|"{'org.onap.a1p|access|*|read'}" -org.onap.a1p|service||"{'org.onap.a1p|access|*|*'}" -org.onap.aaf-sms|admin|AAF Namespace Administrators|"{'org.onap.aaf-sms|access|*|*'}" -org.onap.aaf-sms|owner|AAF Namespace Owners|"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aaf-sms|service||"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aai|aaiui|| -org.onap.aai|Account_Administrator|| -org.onap.aai|admin|AAF Namespace Administrators|"{'org.onap.aai|access|*|*'}" -org.onap.aai|owner|AAF Namespace Owners|"{'org.onap.aai|access|*|read'}" -org.onap.aai|resources_all|resources_all|"{'org.onap.aai|resources|*|delete', 'org.onap.aai|resources|*|get', 'org.onap.aai|resources|*|patch', 'org.onap.aai|resources|*|post', 'org.onap.aai|resources|*|put'}" -org.onap.aai|resources_readonly|resources_readonly|"{'org.onap.aai|resources|*|get'}" -org.onap.aai|traversal_advanced|traversal_advanced|"{'org.onap.aai|traversal|*|advanced'}" -org.onap.aai|traversal_basic|traversal_basic|"{'org.onap.aai|traversal|*|basic'}" -org.onap.aai-resources|admin|AAF Namespace Administrators|"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-resources|owner|AAF Namespace Owners|"{'org.onap.aai-resources|access|*|read'}" -org.onap.aai-resources|service||"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-schema-service|admin|AAF Namespace Administrators|"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-schema-service|owner|AAF Namespace Owners|"{'org.onap.aai-schema-service|access|*|read'}" -org.onap.aai-schema-service|service||"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-traversal|admin|AAF Namespace Administrators|"{'org.onap.aai-traversal|access|*|*'}" -org.onap.aai-traversal|owner|AAF Namespace Owners|"{'org.onap.aai-traversal|access|*|read'}" -org.onap.aai-traversal|service||"{'org.onap.aai-traversal|access|*|*'}" -org.onap|admin|Onap Admins|"{'org.onap.access|*|*'}" -org.onap.appc|admin|AAF Namespace Administrators|"{'org.onap.appc|access|*|*'}" -org.onap.appc|apidoc||"{'org.onap.appc|apidoc|/apidoc/.*|ALL'}" -org.onap.appc|jolokia|| -org.onap.appc|odl|Onap APPC ODL Admins|"{'org.onap.appc.odl|odl-api|*'}" -org.onap.appc|owner|AAF Namespace Owners|"{'org.onap.appc|access|*|read'}" -org.onap.appc|restconf||"{'org.onap.appc|restconf|/restconf/.*|ALL'}" -org.onap.appc|service||"{'org.onap.appc|access|*|*'}" -org.onap.appc-cdt|admin|AAF Namespace Administrators|"{'org.onap.appc-cdt|access|*|*'}" -org.onap.appc-cdt|owner|AAF Namespace Owners|"{'org.onap.appc-cdt|access|*|read'}" -org.onap.appc-cdt|service||"{'org.onap.appc-cdt|access|*|*'}" -org.onap.cds|admin|AAF Namespace Administrators|"{'org.onap.cds|access|*|*'}" -org.onap.cds|owner|AAF Namespace Owners|"{'org.onap.cds|access|*|read'}" -org.onap.clamp|admin|AAF Namespace Administrators|"{'org.onap.clamp|access|*|*', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|clds.admin.dev|Onap clamp Admin Dev|"{'org.onap.clamp.clds.template|dev|update', 'org.onap.clamp|clds.cl|dev|read', 'org.onap.clamp|clds.cl|dev|update', 'org.onap.clamp|clds.template|dev|read', 'org.onap.clamp|clds.template|dev|update'}" -org.onap.clamp|clds.designer.dev|Onap clamp Designer Dev|"{'org.onap.clamp.clds.template|dev|update'}" -org.onap.clamp|clds.vf_filter_all.dev|Onap clamp Filter All Dev|"{'org.onap.clamp.clds.filter.vf|dev|*'}" -org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*|*'}" -org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}" -org.onap.clamp|owner|AAF Namespace Owners| -org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}" -org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}" -org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}" -org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}" -org.onap.cli|owner|AAF Namespace Owners|"{'org.onap.cli|access|*|read'}" -org.onap.cli|service||"{'org.onap.cli|access|*|*'}" -org.onap.dcae|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc|access|*|read'}" -org.onap.dcae|owner|AAF Namespace Owners|"{'org.onap.dcae|access|*|read'}" -org.onap.dcae|pmPublisher|| -org.onap.dcae|pmSubscriber|| -org.onap.dcae|pnfPublisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub'}" -org.onap.dcae|pnfSubscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view'}" -org.onap.dcae|seeCerts||"{'org.onap.dcae|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap|admin|AAF Namespace Administrators|"{'org.onap.dmaap|access|*|*'}" -org.onap.dmaap-bc|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc.api|access|*|*', 'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-bc|access|*|*'}" -org.onap.dmaap.bc|admin|AAF Namespace Administrators|"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaapbc|admin|AAF Namespace Administrators|"{'org.onap.dmaapbc|access|*|*'}" -org.onap.dmaap-bc.api|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc.api|access|*|*'}" -org.onap.dmaap-bc.api|Controller||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT', 'org.onap.dmaap-bc.api|dmaap|boot|DELETE', 'org.onap.dmaap-bc.api|dmaap|boot|GET', 'org.onap.dmaap-bc.api|dmaap|boot|POST', 'org.onap.dmaap-bc.api|dmaap|boot|PUT', 'org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|POST', 'org.onap.dmaap-bc.api|dmaap|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|Inventory||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Metrics||"{'org.onap.dmaap-bc.api|bridge|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Orchestrator||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc.api|access|*|read'}" -org.onap.dmaap-bc.api|PortalUser||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc-mm-prov|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc-mm-prov|access|*|*'}" -org.onap.dmaap-bc-mm-prov|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-mm-prov|access|*|read'}" -org.onap.dmaap-bc|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc|access|*|read'}" -org.onap.dmaap.bc|owner|AAF Namespace Owners|"{'org.onap.dmaap.bc|access|*|read'}" -org.onap.dmaapbc|owner|AAF Namespace Owners|"{'org.onap.dmaapbc|access|*|read'}" -org.onap.dmaap-bc|seeCerts||"{'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap.bc|service||"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaap-bc|service||"{'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-dr|feed|*|*', 'org.onap.dmaap-dr|sub|*|*', 'org.onap.dmaap.mr|access|*|*', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy', 'org.onap.dmaap.mr|topic|*|*', 'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap-bc-topic-mgr|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc-topic-mgr|access|*|*'}" -org.onap.dmaap-bc-topic-mgr|client||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap-bc-topic-mgr|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-topic-mgr|access|*|read'}" -org.onap.dmaap-dr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-dr|access|*|*'}" -org.onap.dmaap-dr|feed.admin||"{'org.onap.dmaap-dr|feed|*|*'}" -org.onap.dmaap-dr|owner|AAF Namespace Owners|"{'org.onap.dmaap-dr|access|*|read'}" -org.onap.dmaap-dr|seeCerts||"{'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap-dr|sub.admin||"{'org.onap.dmaap-dr|sub|*|*'}" -org.onap.dmaap.mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr|access|*|*'}" -org.onap.dmaap-mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr|access|*|*', 'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr.aNewTopic-123450|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123450|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123450|publisher|| -org.onap.dmaap.mr.aNewTopic-123450|subscriber|| -org.onap.dmaap.mr.aNewTopic-123451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123451|publisher|| -org.onap.dmaap.mr.aNewTopic-123451|subscriber|| -org.onap.dmaap.mr.aNewTopic-1547667570|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-1547667570|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read'}" -org.onap.dmaap.mr|aNewTopic-1547667571.publisher|| -org.onap.dmaap.mr|aNewTopic-1547667571.subscriber|| -org.onap.dmaap.mr.aNewTopic-|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-|publisher|| -org.onap.dmaap.mr.aNewTopic-|subscriber|| -org.onap.dmaap.mr.aTest-1547665517|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|*'}" -org.onap.dmaap.mr.aTest-1547665517|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|read'}" -org.onap.dmaap.mr.aTest-1547665517|publisher|| -org.onap.dmaap.mr|aTest-1547665518.subscriber|| -org.onap.dmaap.mr.aTest-1547666628|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666628|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666629.publisher|| -org.onap.dmaap.mr|aTest-1547666629.subscriber|| -org.onap.dmaap.mr.aTest-1547666760|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666760|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666761.publisher|| -org.onap.dmaap.mr|aTest-1547666761.subscriber|| -org.onap.dmaap.mr.aTest-1547666950|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666950|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|read'}" -org.onap.dmaap.mr.aTest-1547666950|publisher|| -org.onap.dmaap.mr|aTest-1547666951.subscriber|| -org.onap.dmaap.mr.aTest-1547667031|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|*'}" -org.onap.dmaap.mr.aTest-1547667031|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|read'}" -org.onap.dmaap.mr|aTest-1547667032.publisher|| -org.onap.dmaap.mr|aTest-1547667032.subscriber|| -org.onap.dmaap.mr.aTestTopic-123456|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123456|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123456|publisher|| -org.onap.dmaap.mr.aTestTopic-123456|subscriber|| -org.onap.dmaap.mr.aTestTopic-123457|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123457|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123457|publisher|| -org.onap.dmaap.mr.aTestTopic-123457|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547660509|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660509|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547660861|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660861|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547661011|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662122|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662122|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547662122|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read'}" -org.onap.dmaap.mr|aTestTopic-1547662452.publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664813|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664813|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547664928|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664928|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664928|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664928|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547666068|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547666068|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read'}" -org.onap.dmaap.mr.aTopic-1547654909|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|*'}" -org.onap.dmaap.mr.aTopic-1547654909|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|read'}" -org.onap.dmaap.mr|create||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|destroy||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr.dgl000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl000|access|*|*'}" -org.onap.dmaap.mr.dgl000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl000|access|*|read'}" -org.onap.dmaap.mr.dgl000|publisher|| -org.onap.dmaap.mr.dgl000|subscriber|| -org.onap.dmaap.mr.dgl_ready|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl_ready|access|*|*'}" -org.onap.dmaap.mr.dgl_ready|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl_ready|access|*|read'}" -org.onap.dmaap.mr.dgl_ready|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.dgl_ready|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-12345|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-12345|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr|mirrormaker.admin||"{'org.onap.dmaap.mr|mirrormaker|*|admin'}" -org.onap.dmaap.mr.mirrormakeragent|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|*'}" -org.onap.dmaap.mr.mirrormakeragent|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|read'}" -org.onap.dmaap.mr.mirrormakeragent|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub'}" -org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub'}" -org.onap.dmaap.mr.mirrormakeragent|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr|mirrormaker.user||"{'org.onap.dmaap.mr|mirrormaker|*|user'}" -org.onap.dmaap.mr|mmagent.sub|| -org.onap.dmaap.mr|mmagent.sub1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub'}" -org.onap.dmaap.mr|mrtesttopic.pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub'}" -org.onap.dmaap.mr|mrtesttopic.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub'}" -org.onap.dmaap.mr|mrtestt.pub|| -org.onap.dmaap-mr|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr|access|*|read'}" -org.onap.dmaap.mr|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap.mr.partitionTest-1546033194|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|*'}" -org.onap.dmaap.mr.partitionTest-1546033194|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|*'}" -org.onap.dmaap.mr.PM_MAPPER|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PM_MAPPER|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PNF_READY|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_READY|access|*|*'}" -org.onap.dmaap.mr.PNF_READY|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_READY|access|*|read'}" -org.onap.dmaap.mr.PNF_READY|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view'}" -org.onap.dmaap.mr.PNF_READY|sub|| -org.onap.dmaap.mr.PNF_READY|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*'}" -org.onap.dmaap.mr.PNF_REGISTRATION|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read'}" -org.onap.dmaap.mr.PNF_REGISTRATION|pub|| -org.onap.dmaap.mr.PNF_REGISTRATION|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr|PNF_REGISTRATION.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap-mr|Publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view'}" -org.onap.dmaap-mr|sai||"{'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr|service||"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap-mr.sunil|admin2||"{'org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap-mr.sunil|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.sunil|access|*|*'}" -org.onap.dmaap-mr.sunil|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.sunil|access|*|read'}" -org.onap.dmaap.mr|test1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub'}" -org.onap.dmaap-mr.test|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.test|access|*|*'}" -org.onap.dmaap-mr.test|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.test|access|*|read'}" -org.onap.dmaap.mr.topic-000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-000|access|*|*'}" -org.onap.dmaap.mr.topic-000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-000|access|*|read'}" -org.onap.dmaap.mr.topic-000|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-000|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-001|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-001|access|*|*'}" -org.onap.dmaap.mr.topic-001|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-001|access|*|read'}" -org.onap.dmaap.mr.topic-001|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-001|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-002|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-002|access|*|*'}" -org.onap.dmaap.mr.topic-002|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-002|access|*|read'}" -org.onap.dmaap.mr.topic-002|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr.topic-002|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr|view||"{'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap.mr|viewtest||"{'org.onap.dmaap.mr|viewtest|*|view'}" -org.onap.dmaap|owner|AAF Namespace Owners|"{'org.onap.dmaap|access|*|read'}" -org.onap.holmes|admin|AAF Namespace Administrators|"{'org.onap.holmes|access|*|*'}" -org.onap.holmes|owner|AAF Namespace Owners|"{'org.onap.holmes|access|*|read'}" -org.onap.holmes|service|| -org.onap.holmes-engine-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-engine-mgmt|access|*|*', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-engine-mgmt|access|*|read'}" -org.onap.holmes-engine-mgmt|seeCerts||"{'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|service||"{'org.onap.holmes-engine-mgmt|access|*|*'}" -org.onap.holmes-rule-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-rule-mgmt|access|*|*', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-rule-mgmt|access|*|read'}" -org.onap.holmes-rule-mgmt|seeCerts||"{'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|service||"{'org.onap.holmes-rule-mgmt|access|*|*'}" -org.onap.msb-eag|admin|AAF Namespace Administrators|"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-eag|owner|AAF Namespace Owners|"{'org.onap.msb-eag|access|*|read'}" -org.onap.msb-eag|service||"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-iag|admin|AAF Namespace Administrators|"{'org.onap.msb-iag|access|*|*'}" -org.onap.msb-iag|owner|AAF Namespace Owners|"{'org.onap.msb-iag|access|*|read'}" -org.onap.msb-iag|service||"{'org.onap.msb-iag|access|*|*'}" -org.onap.music|admin|AAF Namespace Administrators|"{'org.onap.music|access|*|*', 'org.onap.music|certman|local|request,ignoreIPs,showpass'}" -org.onap.music|owner|AAF Namespace Owners|"{'org.onap.music|access|*|read'}" -org.onap.music|service|| -org.onap.nbi|admin|AAF Namespace Administrators|"{'org.onap.nbi|access|*|*', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|owner|AAF Namespace Owners|"{'org.onap.nbi|access|*|read'}" -org.onap.nbi|seeCerts||"{'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|service||"{'org.onap.nbi|access|*|*'}" -org.onap.oof|admin|AAF Namespace Administrators|"{'org.onap.oof|access|*|*', 'org.onap.oof|certman|local|request,ignoreIPs,showpass'}" -org.onap.oof|owner|AAF Namespace Owners|"{'org.onap.oof|access|*|read'}" -org.onap.oof|service||"{'org.onap.oof|access|*|*'}" -org.onap|owner|onap Owners|"{'org.onap.access|*|read'}" -org.onap.policy|Account_Administrator|null| -org.onap.policy|admin||"{'org.onap.policy|access|*|*'}" -org.onap.policy|owner|AAF Namespace Owners|"{'org.onap.policy|access|*|read'}" -org.onap.policy|pdpd.admin|pdpd.admin|"{'org.onap.policy|access|*|*', 'org.onap.policy|access|*|read', 'org.onap.policy|pdpd.healthcheck.configuration|*|get', 'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|delete', 'org.onap.policy|pdpd.telemetry|*|get', 'org.onap.policy|pdpd.telemetry|*|post', 'org.onap.policy|pdpd.telemetry|*|put'}" -org.onap.policy|pdpd.monitor|pdpd.monitor|"{'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|get'}" -org.onap.policy|pdpx.admin|pdpx.admin|"{'org.onap.policy|pdpx.config|*|*', 'org.onap.policy|pdpx.createDictionary|*|*', 'org.onap.policy|pdpx.createPolicy|*|*', 'org.onap.policy|pdpx.decision|*|*', 'org.onap.policy|pdpx.getConfigByPolicyName|*|*', 'org.onap.policy|pdpx.getConfig|*|*', 'org.onap.policy|pdpx.getDecision|*|*', 'org.onap.policy|pdpx.getDictionary|*|*', 'org.onap.policy|pdpx.getMetrics|*|*', 'org.onap.policy|pdpx.listConfig|*|*', 'org.onap.policy|pdpx.listPolicy|*|*', 'org.onap.policy|pdpx.list|*|*', 'org.onap.policy|pdpx.policyEngineImport|*|*', 'org.onap.policy|pdpx.pushPolicy|*|*', 'org.onap.policy|pdpx.sendEvent|*|*', 'org.onap.policy|pdpx.updateDictionary|*|*', 'org.onap.policy|pdpx.updatePolicy|*|*'}" -org.onap.policy|pdpx.monitor|pdpx.monitor| -org.onap.policy|Policy_Admin|Policy_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Editor|Policy_Editor|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Guest|Policy_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|Policy_Super_Admin|Policy_Super_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|Policy_Super_Guest|Policy_Super_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|seeCerts|seeCerts|"{'org.onap.policy|certman|local|request,ignoreIPs,showpass'}" -org.onap.policy|Standard_User|Standard User|"{'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_map|*', 'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|url|login|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|System_Administrator|System Administrator|"{'org.onap.policy|menu|menu_admin|*', 'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_feedback|*', 'org.onap.policy|menu|menu_help|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_job_create|*', 'org.onap.policy|menu|menu_job|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_notes|*', 'org.onap.policy|menu|menu_process|*', 'org.onap.policy|menu|menu_profile_create|*', 'org.onap.policy|menu|menu_profile_import|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_sample|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|menu|menu_test|*', 'org.onap.policy|url|doclib_admin|*', 'org.onap.policy|url|doclib|*', 'org.onap.policy|url|login|*'}" -org.onap.pomba|admin|AAF Namespace Administrators|"{'org.onap.pomba|access|*|*'}" -org.onap.pomba|owner|AAF Namespace Owners|"{'org.onap.pomba|access|*|read'}" -org.onap.portal|Account_Administrator|Account Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|url|centralizedApps|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|getAllWebAnalytics|*', 'org.onap.portal|url|getFunctionalMenuRole|*', 'org.onap.portal|url|getNotificationAppRoles|*', 'org.onap.portal|url|getUserAppsWebAnalytics|*', 'org.onap.portal|url|getUserJourneyAnalyticsReport|*', 'org.onap.portal|url|get_role_functions%2f%2a|*', 'org.onap.portal|url|get_roles%2f%2a|*', 'org.onap.portal|url|notification_code|*', 'org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*', 'org.onap.portal|url|syncRoles|*', 'org.onap.portal|url|userAppRoles|*', 'org.onap.portal|url|userApps|*'}" -org.onap.portal|admin|Portal Admins|"{'org.onap.portal.access|*|*'}" -org.onap.portal|owner|Portal Owner|"{'org.onap.portal.access|*|read'}" -org.onap.portal|Portal_Notification_Admin|Portal Notification Admin|"{'org.onap.portal|url|edit_notification|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|saveNotification|*'}" -org.onap.portal|Portal_Usage_Analyst|Portal Usage Analyst|"{'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.portal|Restricted_App_Role|Restricted App Role| -org.onap.portal|Standard_User|Standard User|"{'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal|System_Administrator|System Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal.test|admin|AAF Namespace Administrators|"{'org.onap.portal.test|access|*|*'}" -org.onap.portal.test|oof-homing|| -org.onap.portal.test|owner|AAF Namespace Owners|"{'org.onap.portal.test|access|*|read'}" -org.onap.portal.test|user1|| -org.onap.portal|Usage_Analyst|Usage Analyst|"{'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_task_search|*', 'org.onap.portal|menu|menu_task|*', 'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.refrepo|admin|AAF Namespace Administrators|"{'org.onap.refrepo|access|*|*', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|owner|AAF Namespace Owners|"{'org.onap.refrepo|access|*|read'}" -org.onap.refrepo|seeCerts||"{'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|service||"{'org.onap.refrepo|access|*|*'}" -org.onap.sdc|Account_Administrator|| -org.onap.sdc|admin|AAF Namespace Administrators|"{'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|access|*|*', 'org.onap.sdc|administrator.access|*|*', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass'}" -org.onap.sdc|ADMIN|ADMIN| -org.onap.sdc|app|app| -org.onap.sdc|designer||"{'org.onap.sdc|designer.access|*|*'}" -org.onap.sdc|governor||"{'org.onap.sdc|governance.access|*|*'}" -org.onap.sdc|ops||"{'org.onap.sdc|operations.access|*|*'}" -org.onap.sdc|owner|AAF Namespace Owners|"{'org.onap.sdc|access|*|read'}" -org.onap.sdc|tester||"{'org.onap.sdc|tester.access|*|*'}" -org.onap.sdc|TESTOR|TESTOR| -org.onap.sdnc|admin|AAF Namespace Administrators|"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*'}" -org.onap.sdnc-cds|admin|AAF Namespace Administrators|"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc-cds|owner|AAF Namespace Owners|"{'org.onap.sdnc-cds|access|*|read'}" -org.onap.sdnc-cds|service||"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc|owner|AAF Namespace Owners|"{'org.onap.sdnc|access|*|read'}" -org.onap.sdnc|service||"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*', 'org.onap.sdnc|odl|odl-api|create', 'org.onap.sdnc|odl|odl-api|delete', 'org.onap.sdnc|odl|odl-api|read', 'org.onap.sdnc|odl|odl-api|update'}" -org.onap.so|admin|AAF Namespace Administrators|"{'org.onap.so|access|*|*', 'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.so|app||"{'org.onap.so|access|*|*'}" -org.onap.so|owner|AAF Namespace Owners|"{'org.onap.so|access|*|read'}" -org.onap.so|seeCerts||"{'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.vfc|admin|AAF Namespace Administrators|"{'org.onap.vfc|access|*|*'}" -org.onap.vfc|owner|AAF Namespace Owners|"{'org.onap.vfc|access|*|read'}" -org.onap.vfc|service||"{'org.onap.vfc|access|*|*'}" -org.onap.vid1|admin|AAF Namespace Administrators|"{'org.onap.vid1|access|*|*'}" -org.onap.vid1|owner|AAF Namespace Owners|"{'org.onap.vid1|access|*|read'}" -org.onap.vid2|admin|AAF Namespace Administrators|"{'org.onap.vid2|access|*|*'}" -org.onap.vid2|owner|AAF Namespace Owners|"{'org.onap.vid2|access|*|read'}" -org.onap.vid|Account_Administrator|| -org.onap.vid|admin|AAF Namespace Administrators|"{'org.onap.vid|access|*|*'}" -org.onap.vid|Demonstration___gNB|| -org.onap.vid|Demonstration___vCPE|| -org.onap.vid|Demonstration___vFW|| -org.onap.vid|Demonstration___vFWCL|| -org.onap.vid|Demonstration___vIMS|| -org.onap.vid|Demonstration___vLB|| -org.onap.vid|member|member| -org.onap.vid|owner|AAF Namespace Owners|"{'org.onap.vid|access|*|read'}" -org.onap.vid|seeCerts|seeCerts| -org.onap.vid|service|service| -org.onap.vid|Standard_User|Standard User|"{'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_map|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|login|*'}" -org.onap.vid|System_Administrator|System Administrator|"{'org.onap.vid|menu|menu_admin|*', 'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_feedback|*', 'org.onap.vid|menu|menu_help|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_job_create|*', 'org.onap.vid|menu|menu_job|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_notes|*', 'org.onap.vid|menu|menu_process|*', 'org.onap.vid|menu|menu_profile_create|*', 'org.onap.vid|menu|menu_profile_import|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_sample|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_test|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|doclib_admin|*', 'org.onap.vid|url|doclib|*', 'org.onap.vid|url|login|*'}" -org.onap.uui|admin|AAF Namespace Administrators|"{'org.onap.uui|access|*|*', 'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|owner|AAF Namespace Owners|"{'org.onap.uui|access|*|read'}" -org.onap.uui|seeCerts||"{'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|service||"{'org.onap.uui|access|*|*'}" -org.openecomp|admin|OpenEcomp Admins|"{'org.openecomp.access|*|*'}" -org.openecomp.dmaapBC|admin|AAF Admins|"{'org.openecomp.dmaapBC.access|*|*', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|pub', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|sub', 'org.openecomp.dmaapBC.topicFactory|:org.openecomp.dmaapBC.topic:org.openecomp.dmaapBC|create'}" -org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}" -org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}" -org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}" -org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}" -org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}" -org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}" -org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}" -org.osaaf|owner|OSAAF Owners|"{'org.osaaf.access|*|read,approve'}" -org.osaaf.people|admin|AAF Namespace Administrators|"{'org.osaaf.people|access|*|*'}" -org.osaaf.people|owner|AAF Namespace Owners|"{'org.osaaf.people|access|*|read'}" -org|owner|Org Owners|"{'org.access|*|read,approve'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat deleted file mode 100644 index bc9f0ec833..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat +++ /dev/null @@ -1,430 +0,0 @@ -mmanager@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -mmanager@people.osaaf.org|org.onap.a1p.owner|2020-11-26 12:31:54.000+0000|org.onap.a1p|owner -mmanager@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -mmanager@people.osaaf.org|org.onap.aaf-sms.owner|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|owner -mmanager@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -mmanager@people.osaaf.org|org.onap.aai.owner|2020-11-26 12:31:54.000+0000|org.onap.aai|owner -mmanager@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -mmanager@people.osaaf.org|org.onap.aai-resources.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|owner -mmanager@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -mmanager@people.osaaf.org|org.onap.aai-schema-service.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|owner -mmanager@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -mmanager@people.osaaf.org|org.onap.aai-traversal.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|owner -mmanager@people.osaaf.org|org.onap.admin|2020-11-26 12:31:54.000+0000|org.onap|admin -mmanager@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -mmanager@people.osaaf.org|org.onap.appc.owner|2020-11-26 12:31:54.000+0000|org.onap.appc|owner -mmanager@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -mmanager@people.osaaf.org|org.onap.appc-cdt.owner|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|owner -mmanager@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -mmanager@people.osaaf.org|org.onap.cds.owner|2020-11-26 12:31:54.000+0000|org.onap.cds|owner -mmanager@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -mmanager@people.osaaf.org|org.onap.clamp.owner|2020-11-26 12:31:54.000+0000|org.onap.clamp|owner -mmanager@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -mmanager@people.osaaf.org|org.onap.cli.owner|2020-11-26 12:31:54.000+0000|org.onap.cli|owner -mmanager@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -mmanager@people.osaaf.org|org.onap.dcae.owner|2020-11-26 12:31:54.000+0000|org.onap.dcae|owner -mmanager@people.osaaf.org|org.onap.dmaap.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|owner -mmanager@people.osaaf.org|org.onap.dmaap-dr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123450.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-1547667570.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547665517.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666628.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666760.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666950.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547667031.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123456.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123457.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660509.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660861.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547661011.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662122.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664813.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664928.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547666068.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTopic-1547654909.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.dgl000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.partitionTest-1546033194.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.sunil.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.test.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|owner -mmanager@people.osaaf.org|org.onap.dmaap.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap|owner -mmanager@people.osaaf.org|org.onap.holmes.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes|owner -mmanager@people.osaaf.org|org.onap.holmes-engine-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|owner -mmanager@people.osaaf.org|org.onap.holmes-rule-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|owner -mmanager@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -mmanager@people.osaaf.org|org.onap.msb-eag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|owner -mmanager@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -mmanager@people.osaaf.org|org.onap.msb-iag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|owner -mmanager@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -mmanager@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -mmanager@people.osaaf.org|org.onap.nbi.owner|2020-11-26 12:31:54.000+0000|org.onap.nbi|owner -mmanager@people.osaaf.org|org.onap.ngi.owner|2020-11-26 12:31:54.000+0000|org.onap.ngi|owner -mmanager@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -mmanager@people.osaaf.org|org.onap.oof.owner|2020-11-26 12:31:54.000+0000|org.onap.oof|owner -mmanager@people.osaaf.org|org.onap.owner|2020-11-26 12:31:54.000+0000|org.onap|owner -mmanager@people.osaaf.org|org.onap.policy.owner|2020-11-26 12:31:54.000+0000|org.onap.policy|owner -mmanager@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -mmanager@people.osaaf.org|org.onap.pomba.owner|2020-11-26 12:31:54.000+0000|org.onap.pomba|owner -mmanager@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -mmanager@people.osaaf.org|org.onap.portal.owner|2020-11-26 12:31:54.000+0000|org.onap.portal|owner -mmanager@people.osaaf.org|org.onap.refrepo.owner|2020-11-26 12:31:54.000+0000|org.onap.refrepo|owner -mmanager@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -mmanager@people.osaaf.org|org.onap.sdc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdc|owner -mmanager@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|owner -mmanager@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -mmanager@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -mmanager@people.osaaf.org|org.onap.so.owner|2020-11-26 12:31:54.000+0000|org.onap.so|owner -mmanager@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -mmanager@people.osaaf.org|org.onap.vfc.owner|2020-11-26 12:31:54.000+0000|org.onap.vfc|owner -mmanager@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -mmanager@people.osaaf.org|org.onap.vid1.owner|2020-11-26 12:31:54.000+0000|org.onap.vid1|owner -mmanager@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -mmanager@people.osaaf.org|org.onap.vid2.owner|2020-11-26 12:31:54.000+0000|org.onap.vid2|owner -mmanager@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -mmanager@people.osaaf.org|org.onap.vid.owner|2020-11-26 12:31:54.000+0000|org.onap.vid|owner -mmanager@people.osaaf.org|org.onap.uui.owner|2020-11-26 12:31:54.000+0000|org.onap.uui|owner -mmanager@people.osaaf.org|org.osaaf.people.owner|2020-11-26 12:31:54.000+0000|org.osaaf.people|owner -portal@portal.onap.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -portal@portal.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -portal@portal.onap.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -portal@portal.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -portal@portal.onap.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -portal@portal.onap.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -portal@portal.onap.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -portal@portal.onap.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -portal@portal.onap.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -portal@portal.onap.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -portal@portal.onap.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -portal@portal.onap.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -portal@portal.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -portal@portal.onap.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -portal@portal.onap.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -portal@portal.onap.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -portal@portal.onap.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -portal@portal.onap.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -portal@portal.onap.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -portal@portal.onap.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -portal@portal.onap.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -portal@portal.onap.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -portal@portal.onap.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -portal@portal.onap.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -portal@portal.onap.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -portal@portal.onap.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -portal@portal.onap.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -portal@portal.onap.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -portal@portal.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -portal@portal.onap.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -portal@portal.onap.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -portal@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -portal@portal.onap.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -portal@portal.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -portal@portal.onap.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -portal@portal.onap.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -portal@portal.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -portal@portal.onap.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -portal@portal.onap.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -portal@portal.onap.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -portal@portal.onap.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -portal@portal.onap.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -portal@portal.onap.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -shi@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@mr.dmaap.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.aai.aaiui|2020-11-26 12:31:54.000+0000|org.onap.aai|aaiui -demo@people.osaaf.org|org.onap.aai.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.aai|Account_Administrator -demo@people.osaaf.org|org.onap.aai.resources_readonly|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_readonly -demo@people.osaaf.org|org.onap.aai.traversal_basic|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_basic -demo@people.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -demo@people.osaaf.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -demo@people.osaaf.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -demo@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -demo@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -demo@people.osaaf.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.pub -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -demo@people.osaaf.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.policy.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|Account_Administrator -demo@people.osaaf.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -demo@people.osaaf.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -demo@people.osaaf.org|org.onap.policy.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|System_Administrator -demo@people.osaaf.org|org.onap.portal.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|Account_Administrator -demo@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@people.osaaf.org|org.onap.portal.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|System_Administrator -demo@people.osaaf.org|org.onap.portal.test.admin|2020-11-26 12:31:54.000+0000|org.onap.portal.test|admin -demo@people.osaaf.org|org.onap.portal.test.owner|2020-11-26 12:31:54.000+0000|org.onap.portal.test|owner -demo@people.osaaf.org|org.onap.portal.test.user1|2020-11-26 12:31:54.000+0000|org.onap.portal.test|user1 -demo@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -demo@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -demo@people.osaaf.org|org.onap.vid.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|Account_Administrator -demo@people.osaaf.org|org.onap.vid.Demonstration___gNB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___gNB -demo@people.osaaf.org|org.onap.vid.Demonstration___vCPE|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vCPE -demo@people.osaaf.org|org.onap.vid.Demonstration___vFW|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFW -demo@people.osaaf.org|org.onap.vid.Demonstration___vFWCL|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFWCL -demo@people.osaaf.org|org.onap.vid.Demonstration___vIMS|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vIMS -demo@people.osaaf.org|org.onap.vid.Demonstration___vLB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vLB -demo@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -jh0003@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -jh0003@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -jh0003@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -cs0008@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -jm0007@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -op0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -gv0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -pm0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -ps0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -aaf_admin@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -aaf_admin@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -aaf_admin@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aaf_admin@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -aaf_admin@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -aaf_admin@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -aaf_admin@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -aaf_admin@people.osaaf.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -aaf_admin@people.osaaf.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -aaf_admin@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -aaf_admin@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -aaf_admin@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -aaf_admin@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -aaf_admin@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -aaf_admin@people.osaaf.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -aaf_admin@people.osaaf.org|org.onap.holmes-engine-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.holmes-rule-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -aaf_admin@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -aaf_admin@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -aaf_admin@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -aaf_admin@people.osaaf.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -aaf_admin@people.osaaf.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -aaf_admin@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -aaf_admin@people.osaaf.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -aaf_admin@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -aaf_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf_admin@people.osaaf.org|org.onap.refrepo.admin|2020-11-26 12:31:54.000+0000|org.onap.refrepo|admin -aaf_admin@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -aaf_admin@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -aaf_admin@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -aaf_admin@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -aaf_admin@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -aaf_admin@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -aaf_admin@people.osaaf.org|org.onap.uui.admin|2020-11-26 12:31:54.000+0000|org.onap.uui|admin -aaf_admin@people.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf_admin@people.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -deployer@people.osaaf.org|org.osaaf.aaf.deploy|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|deploy -portal_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf@aaf.osaaf.org|org.admin|2020-11-26 12:31:54.000+0000|org|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.service|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|service -aaf@aaf.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -osaaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -a1p@a1p.onap.org|org.onap.a1p.service|2020-11-26 12:31:54.000+0000|org.onap.a1p|service -aaf-sms@aaf-sms.onap.org|org.onap.aaf-sms.service|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|service -aai@aai.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aai@aai.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -aai@aai.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -aai-resources@aai-resources.onap.org|org.onap.aai-resources.service|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|service -aai-schema-service@aai-schema-service.onap.org|org.onap.aai-schema-service.service|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|service -aai-traversal@aai-traversal.onap.org|org.onap.aai-traversal.service|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|service -appc@appc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -appc@appc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -appc@appc.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -appc@appc.onap.org|org.onap.appc.odl|2020-11-26 12:31:54.000+0000|org.onap.appc|odl -appc@appc.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -appc-cdt@appc-cdt.onap.org|org.onap.appc-cdt.service|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|service -cli@cli.onap.org|org.onap.cli.service|2020-11-26 12:31:54.000+0000|org.onap.cli|service -clamp@clampdemo.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clampdemo.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.clds.admin.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.admin.dev -clamp@clamp.onap.org|org.onap.clamp.clds.designer.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.designer.dev -clamp@clamp.onap.org|org.onap.clamp.clds.vf_filter_all.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.vf_filter_all.dev -clamp@clamp.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clamp.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.clamp|seeCerts -clamp@clamp.onap.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamp.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamp.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -clamp@clamp.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -clamp@clamp.onap.org|org.onap.dmaap.mr.dgl000.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|subscriber -clamp@clamp.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamptest.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamptest.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -dcae@dcae.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -dcae@dcae.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -dcae@dcae.onap.org|org.onap.dcae.pmPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmPublisher -dcae@dcae.onap.org|org.onap.dcae.pmSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmSubscriber -dcae@dcae.onap.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -dcae@dcae.onap.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -dcae@dcae.onap.org|org.onap.dcae.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dcae|seeCerts -dcae@dcae.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dcae@dcae.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dcae@dcae.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -dcae@dcae.onap.org|org.onap.dmaap.mr.PM_MAPPER.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|publisher -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_READY.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|pub -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|sub -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|seeCerts -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|service -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|seeCerts -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|service -oof@oof.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -oof@oof.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -oof@oof.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -oof@oof.onap.org|org.onap.oof.service|2020-11-26 12:31:54.000+0000|org.onap.oof|service -so@so.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -so@so.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -so@so.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -so@so.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -so@so.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -so@so.onap.org|org.onap.so.app|2020-11-26 12:31:54.000+0000|org.onap.so|app -so@so.onap.org|org.onap.so.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.so|seeCerts -sdc@sdc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdc@sdc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -sdnc@sdnc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdnc@sdnc.onap.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -sdnc@sdnc.onap.org|org.onap.dmaap.mr.dgl000.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|publisher -sdnc@sdnc.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -sdnc@sdnc.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -sdnc-cds@sdnc-cds.onap.org|org.onap.sdnc-cds.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|service -vfc@vfc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vfc@vfc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vfc@vfc.onap.org|org.onap.dmaap-mr.Publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|Publisher -vfc@vfc.onap.org|org.onap.vfc.service|2020-11-26 12:31:54.000+0000|org.onap.vfc|service -policy@policy.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -policy@policy.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -policy@policy.onap.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -policy@policy.onap.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -policy@policy.onap.org|org.onap.policy.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.policy|seeCerts -pomba@pomba.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -pomba@pomba.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -holmes@holmes.onap.org|org.onap.holmes.service|2020-11-26 12:31:54.000+0000|org.onap.holmes|service -msb-eag@msb-eag.onap.org|org.onap.msb-eag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|service -msb-iag@msb-iag.onap.org|org.onap.msb-iag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|service -nbi@nbi.onap.org|org.onap.nbi.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.nbi|seeCerts -nbi@nbi.onap.org|org.onap.nbi.service|2020-11-26 12:31:54.000+0000|org.onap.nbi|service -music@music.onap.org|org.onap.music.service|2020-11-26 12:31:54.000+0000|org.onap.music|service -refrepo@refrepo.onap.org|org.onap.refrepo.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.refrepo|seeCerts -refrepo@refrepo.onap.org|org.onap.refrepo.service|2020-11-26 12:31:54.000+0000|org.onap.refrepo|service -vid@vid.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vid@vid.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vid@vid.onap.org|org.onap.vid.service|2020-11-26 12:31:54.000+0000|org.onap.vid|service -vid1@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -vid2@people.osaaf.org|org.onap.vid.Standard_User|2020-11-26 12:31:54.000+0000|org.onap.vid|Standard_User -vid2@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -uui@uui.onap.org|org.onap.uui.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.uui|seeCerts -uui@uui.onap.org|org.onap.uui.service|2020-11-26 12:31:54.000+0000|org.onap.uui|service -dmaap-bc@bc.dmaap.onap.org|org.onap.dmaap.bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap.bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|seeCerts -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.dgl000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.mirrormakeragent.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.PM_MAPPER.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-001.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-002.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-bc-topic-mgr.client|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|client -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123450.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-1547667570.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547665517.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666628.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666760.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666950.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547667031.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123456.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123457.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660509.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660861.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547661011.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662122.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664813.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664928.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547666068.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTopic-1547654909.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.dgl_ready.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.partitionTest-1546033194.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_READY.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.topic-000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-dr@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaapmr@mr.dmaap.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin diff --git a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml b/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml deleted file mode 100644 index a10bb8a7a1..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# =========================================================================== -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cass-init-dats - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/cass-init-dats/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml deleted file mode 100644 index 4e18b3b746..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-dats/* /config-dats/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-dats - chown -R 1000:1000 /var/lib/cassandra - chown -R 1000:1000 /status - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /config-input-dats - name: config-cass-init-dats - - mountPath: /config-dats - name: config-cass-dats - - mountPath: /status - name: aaf-status - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 100Mi - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # installing with cmd "onap" will not only initialize the DB, but add ONAP bootstrap data as well - command: ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh","onap"] - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.cluster_name }} - - name: CASSANDRA_DC - value: {{ .Values.config.dc }} - - name: CQLSH - value: "/opt/cassandra/bin/cqlsh" - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap_new_size }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.max_heap_size }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/aaf/cass_init/dats - name: config-cass-dats - - mountPath: /opt/app/aaf/status - name: aaf-status - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status - emptyDir: {} - - name: aaf-cass-vol - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config-cass-init-dats - configMap: - name: {{ include "common.fullname" . }}-cass-init-dats - - name: config-cass-dats - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml b/kubernetes/aaf/components/aaf-cass/templates/pv.yaml deleted file mode 100644 index 187e9b75de..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml b/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml deleted file mode 100644 index e56c98751c..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/service.yaml b/kubernetes/aaf/components/aaf-cass/templates/service.yaml deleted file mode 100644 index 149a8708a6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cass/values.yaml b/kubernetes/aaf/components/aaf-cass/values.yaml deleted file mode 100644 index a1a1abe55a..0000000000 --- a/kubernetes/aaf/components/aaf-cass/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: tcp-cql - -image: onap/aaf/aaf_cass:2.1.23 - -config: - cluster_name: osaaf - heap_new_size: 512M - max_heap_size: 1024M - dc: dc1 - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - -service: - name: aaf-cass - type: ClusterIP - ports: - - name: tcp-intra - port: 7000 - - name: tls - port: 7001 - - name: tcp-cql - port: 9042 - - name: tcp-thrift - port: 9160 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 2100m - memory: 1792Mi - requests: - cpu: 30m - memory: 1280Mi - large: - limits: - cpu: 4 - memory: 12000Mi - requests: - cpu: 40m - memory: 9000Mi - unlimited: {} - -persistence: - enabled: true - #existingClaim: - mountPath: /dockerdata-nfs - mountSubPath: "cass" - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 5Gi diff --git a/kubernetes/aaf/components/aaf-cm/.helmignore b/kubernetes/aaf/components/aaf-cm/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cm/Chart.yaml b/kubernetes/aaf/components/aaf-cm/Chart.yaml deleted file mode 100644 index 094d21020a..0000000000 --- a/kubernetes/aaf/components/aaf-cm/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T, ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Certificate Manager -name: aaf-cm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml b/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-cm/templates/service.yaml b/kubernetes/aaf/components/aaf-cm/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cm/values.yaml b/kubernetes/aaf/components/aaf-cm/values.yaml deleted file mode 100644 index a8159dc2cd..0000000000 --- a/kubernetes/aaf/components/aaf-cm/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: cm - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-cm - type: ClusterIP - ports: - - name: api - protocol: http - port: 8150 - -ingress: - enabled: false - service: - - baseaddr: "aaf-cm-api" - name: "aaf-cm" - port: 8150 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 1m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 600Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-fs/Chart.yaml b/kubernetes/aaf/components/aaf-fs/Chart.yaml deleted file mode 100644 index 4573a51c19..0000000000 --- a/kubernetes/aaf/components/aaf-fs/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF File Server -name: aaf-fs -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt b/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml b/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml b/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-fs/templates/service.yaml b/kubernetes/aaf/components/aaf-fs/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-fs/values.yaml b/kubernetes/aaf/components/aaf-fs/values.yaml deleted file mode 100644 index a0e9fe9bae..0000000000 --- a/kubernetes/aaf/components/aaf-fs/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: fs - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-fs - type: ClusterIP - ports: - - name: api - port: 8096 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aaf-fs-api" - name: "aaf-fs" - port: 8096 - config: - ssl: "none" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 110Mi - requests: - cpu: 1m - memory: 80Mi - large: - limits: - cpu: 500m - memory: 700Mi - requests: - cpu: 100m - memory: 400Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-gui/.helmignore b/kubernetes/aaf/components/aaf-gui/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-gui/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-gui/Chart.yaml b/kubernetes/aaf/components/aaf-gui/Chart.yaml deleted file mode 100644 index 4e49314946..0000000000 --- a/kubernetes/aaf/components/aaf-gui/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF GUI -name: aaf-gui -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt b/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml b/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml b/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-gui/templates/service.yaml b/kubernetes/aaf/components/aaf-gui/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-gui/values.yaml b/kubernetes/aaf/components/aaf-gui/values.yaml deleted file mode 100644 index fd416b64dc..0000000000 --- a/kubernetes/aaf/components/aaf-gui/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: gui - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: gui - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: gui - -service: - name: aaf-gui - type: NodePort - ports: - - name: gui - protocol: http - port: 8200 - nodePort: 51 - -ingress: - enabled: false - service: - - baseaddr: "aaf-ui" - name: "aaf-gui" - port: 8200 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 280Mi - requests: - cpu: 1m - memory: 170Mi - large: - limits: - cpu: 200m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-locate/.helmignore b/kubernetes/aaf/components/aaf-locate/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-locate/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-locate/Chart.yaml b/kubernetes/aaf/components/aaf-locate/Chart.yaml deleted file mode 100644 index 8cb2cf6324..0000000000 --- a/kubernetes/aaf/components/aaf-locate/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Locate -name: aaf-locate -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt b/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml b/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml b/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/service.yaml b/kubernetes/aaf/components/aaf-locate/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-locate/values.yaml b/kubernetes/aaf/components/aaf-locate/values.yaml deleted file mode 100644 index 86a93214e7..0000000000 --- a/kubernetes/aaf/components/aaf-locate/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: locate - -sequence_order: - - service - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-locate - type: ClusterIP - ports: - - name: api - protocol: http - port: 8095 - -ingress: - enabled: false - service: - - baseaddr: "aaf-locate-api" - name: "aaf-locate" - port: 8095 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 500m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-oauth/.helmignore b/kubernetes/aaf/components/aaf-oauth/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-oauth/Chart.yaml b/kubernetes/aaf/components/aaf-oauth/Chart.yaml deleted file mode 100644 index edd932d51c..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF OAuth -name: aaf-oauth -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt b/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml b/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml b/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml b/kubernetes/aaf/components/aaf-oauth/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/values.yaml b/kubernetes/aaf/components/aaf-oauth/values.yaml deleted file mode 100644 index a103fb2e22..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: oauth - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-oauth - type: ClusterIP - ports: - - name: api - protocol: http - port: 8140 - -ingress: - enabled: false - service: - - baseaddr: "aaf-oauth-api" - name: "aaf-oauth" - port: 8140 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 600Mi - requests: - cpu: 40m - memory: 200Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-service/.helmignore b/kubernetes/aaf/components/aaf-service/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-service/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-service/Chart.yaml b/kubernetes/aaf/components/aaf-service/Chart.yaml deleted file mode 100644 index 3aafca3278..0000000000 --- a/kubernetes/aaf/components/aaf-service/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Service -name: aaf-service -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml b/kubernetes/aaf/components/aaf-service/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml b/kubernetes/aaf/components/aaf-service/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-service/templates/service.yaml b/kubernetes/aaf/components/aaf-service/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-service/values.yaml b/kubernetes/aaf/components/aaf-service/values.yaml deleted file mode 100644 index a6f3c5dc4e..0000000000 --- a/kubernetes/aaf/components/aaf-service/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: service - -sequence_order: - - cass - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-service - type: ClusterIP - ports: - - name: api - port: 8100 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aaf-service-api" - name: "aaf-service" - port: 8100 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 250m - memory: 360Mi - requests: - cpu: 10m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 300Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/Chart.yaml b/kubernetes/aaf/components/aaf-sms/Chart.yaml deleted file mode 100644 index ef34888493..0000000000 --- a/kubernetes/aaf/components/aaf-sms/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service -name: aaf-sms -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: aaf-sms-quorumclient - version: ~12.x-0 - repository: 'file://components/aaf-sms-quorumclient' - - name: aaf-sms-vault - version: ~12.x-0 - repository: 'file://components/aaf-sms-vault' diff --git a/kubernetes/aaf/components/aaf-sms/Makefile b/kubernetes/aaf/components/aaf-sms/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/aaf/components/aaf-sms/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sms/components/Makefile b/kubernetes/aaf/components/aaf-sms/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml deleted file mode 100644 index 5af948eddc..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service Quorum Client -name: aaf-sms-quorumclient -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json deleted file mode 100644 index 3a43f00019..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "url":"https://aaf-sms.{{ include "common.namespace" . }}:10443", - "cafile": "/quorumclient/certs/aaf_root_ca.cer", - "clientcert":"client.cert", - "clientkey":"client.key", - "timeout":"10s" -} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml deleted file mode 100644 index 471c9094aa..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml deleted file mode 100644 index 0e9e66dc47..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /quorumclient/auth - chown -R 100:1000 /quorumclient/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/quorumclient/bin/quorumclient"] - workingDir: /quorumclient/ - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /quorumclient/config.json - name: {{ include "common.name" .}} - subPath: config.json -{{- if .Values.persistence.enabled }} - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: config.json - path: config.json - mode: 0755 -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml deleted file mode 100644 index d41d31ce82..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/smsquorumclient:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sms/quorum/data - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 40Mi - requests: - cpu: 1m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml deleted file mode 100644 index 44554e3432..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Chart to launch Vault as SMS backend -name: aaf-sms-vault -appVersion: 0.9.5 -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml deleted file mode 100644 index 0d09221644..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-vault - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.vault | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-consul - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.consul | toJson }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml deleted file mode 100644 index b642e39540..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml deleted file mode 100644 index 994e1555d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /consul/data - chown -R 100:1000 /consul/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.vault }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["server"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /vault/config/config.json - name: {{ include "common.fullname" . }}-vault - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.consul }} - name: {{ include "common.name" . }}-backend - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["agent","-server","-bind","0.0.0.0","-bootstrap-expect=1","-config-file","/consul/config/config.json"] - ports: - - name: http - containerPort: 8500 - volumeMounts: -{{- if .Values.persistence.enabled }} - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - - mountPath: /consul/config/config.json - name: {{ include "common.fullname" . }}-consulconfiguration - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - volumes: - - name: {{ include "common.fullname" . }}-consulconfiguration - configMap: - name: {{ include "common.fullname" . }}-consul - - name: {{ include "common.fullname" . }}-vault - configMap: - name: {{ include "common.fullname" . }}-vault - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml deleted file mode 100644 index e170ce7ef5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -# application image -image: - consul: library/consul:1.7.1 - vault: library/vault:1.3.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -################################################################# -# Application configuration defaults. -################################################################# -config: - consul: - server: true - log_level: INFO - data_dir: '/consul/data' - ports: - http: 8500 - https: -1 - - vault: - storage: - consul: - address: localhost:8500 - path: smsvault - listener: - tcp: - address: '[::]:8200' - tls_disable: true - disable_mlock: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/consul/data - -service: - type: ClusterIP - name: aaf-sms-db - portName: aaf-sms-db - internalPort: 8200 - externalPort: 8200 - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 80Mi - requests: - cpu: 40m - memory: 40Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 40m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem b/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem deleted file mode 100644 index 7939846bf0..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/has.json b/kubernetes/aaf/components/aaf-sms/resources/config/has.json deleted file mode 100644 index ef42ce98d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/has.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "domain": { - "name": "has", - "secrets": [ - { - "name": "aai", - "values": { - "username": "${AAI_USER}", - "password": "${AAI_PASS}" - } - }, - { - "name": "conductor_api", - "values": { - "username": "${CONDUCTOR_USER}", - "password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "sdnc", - "values": { - "username": "${SDNC_USER}", - "password": "${SDNC_PASS}" - } - }, - { - "name": "music_api", - "values": { - "aafuser": "${MUSIC_USER}", - "aafpass": "${MUSIC_PASS}", - "aafns": "conductor" - } - }, - { - "name": "aaf_api", - "values": { - "username": "${AAF_USER}", - "password": "${AAF_PASS}", - "aaf_conductor_user": "oof@oof.onap.org" - } - }, - { - "name": "sdc", - "values": { - "username": "${SDC_USER}", - "password": "${SDC_PASS}" - } - } - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json b/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json deleted file mode 100644 index c14f7ee4ba..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "domain": { - "name": "osdf", - "secrets": [ - { - "name": "so", - "values": { - "UserName": "${SO_USER}", - "Password": "${SO_PASS}" - } - }, - { - "name": "conductor", - "values": { - "UserName": "${CONDUCTOR_USER}", - "Password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "policyPlatform", - "values": { - "UserName": "${POLICY_PLAT_USER}", - "Password": "${POLICY_PLAT_PASS}" - } - }, - { - "name": "policyClient", - "values": { - "UserName": "${POLICY_CLI_USER}", - "Password": "${POLICY_CLI_PASS}" - } - }, - { - "name": "dmaap", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "sdc", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "osdfPlacement", - "values": { - "UserName": "${OSDF_PLACEMENT_USER}", - "Password": "${OSDF_PLACEMENT_PASS}" - } - }, - { - "name": "osdfPlacementSO", - "values": { - "UserName": "${OSDF_PLACEMENT_SO_USER}", - "Password": "${OSDF_PLACEMENT_SO_PASS}" - } - }, - { - "name": "osdfPlacementVFC", - "values": { - "UserName": "${OSDF_PLACEMENT_VFC_USER}", - "Password": "${OSDF_PLACEMENT_VFC_PASS}" - } - }, - { - "name": "osdfCMScheduler", - "values": { - "UserName": "${OSDF_CM_SCHEDULER_USER}", - "Password": "${OSDF_CM_SCHEDULER_PASS}" - } - }, - { - "name": "configDb", - "values": { - "UserName": "${CONFIG_DB_USER}", - "Password": "${CONFIG_DB_PASS}" - } - }, - { - "name": "pciHMS", - "values": { - "UserName": "", - "Password": "" - } - }, - { - "name": "osdfPCIOpt", - "values": { - "UserName": "${OSDF_PCI_OPT_USER}", - "Password": "${OSDF_PCI_OPT_PASS}" - } - }, - { - "name": "osdfOptEngine", - "values": { - "UserName": "${OSDF_OPT_ENGINE_USER}", - "Password": "${OSDF_OPT_ENGINE_PASS}" - } - }{{ if .Values.cps.enabled }}, - { - "name": "cps", - "values": { - "UserName": "${CPS_USER}", - "Password": "${CPS_PASS}" - } - }{{ end }} - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml deleted file mode 100644 index a74fe277b7..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - smsconfig.json: | - {{ .Values.config | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-preload - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml deleted file mode 100644 index cfe54cf07b..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - # Currently intermediate certificate is not given by AAF CM so we need - # to give it "by hand" - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-add-intermediate-cert - command: - - /bin/sh - args: - - -c - - | - cat /int-certs/intermediate_root_ca.pem >> {{ .Values.certInitializer.mountPath }}/local/org.onap.aaf-sms.crt - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /int-certs - name: {{ include "common.fullname" . }}-int-certs - readOnly: true - {{- end }} - - name: {{ include "common.fullname" . }}-fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /sms/auth - chown -R 1000:1000 /sms/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms-vault" - - --container-name - - "aaf-sms-vault-backend" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - command: ["/sms/bin/sms"] - workingDir: /sms/ - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /sms/smsconfig.json - name: {{ include "common.name" .}} - subPath: smsconfig.json - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-int-certs - secret: - secretName: {{ include "common.fullname" . }}-int-certs - {{- end }} - - name: {{ include "common.fullname" . }}-auth - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/job.yaml b/kubernetes/aaf/components/aaf-sms/templates/job.yaml deleted file mode 100644 index 2370cf60de..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/job.yaml +++ /dev/null @@ -1,217 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - "export AAI_PASS=${AAI_PASS_PLAIN}; - export CONDUCTOR_PASS=${CONDUCTOR_PASS_PLAIN}; - export SDNC_PASS=${SDNC_PASS_PLAIN}; - export MUSIC_PASS=${MUSIC_PASS_PLAIN}; - export AAF_PASS=${AAF_PASS_PLAIN}; - export POLICY_PLAT_PASS=${POLICY_PLAT_PASS_PLAIN}; - export POLICY_CLI_PASS=${POLICY_CLI_PASS_PLAIN}; - export OSDF_PLACEMENT_PASS=${OSDF_PLACEMENT_PASS_PLAIN}; - export OSDF_PLACEMENT_SO_PASS=${OSDF_PLACEMENT_SO_PASS_PLAIN}; - export OSDF_PLACMENET_VFC_PASS=${OSDF_PLACEMENT_VFC_PASS_PLAIN}; - export OSDF_CM_SCHEDULER_PASS=${OSDF_CM_SCHEDULER_PASS_PLAIN}; - export CONFIG_DB_PASS=${CONFIG_DB_PASS_PLAIN}; - export OSDF_PCI_OPT_PASS=${OSDF_PCI_OPT_PASS_PLAIN}; - export OSDF_OPT_ENGINE_PASS=${OSDF_OPT_ENGINE_PASS_PLAIN}; - export SO_PASS=${SO_PASS_PLAIN}; - export SDC_PASS=${SDC_PASS_PLAIN}; - {{- if .Values.cps.enabled }} - export CPS_PASS=${CPS_PASS_PLAIN}; - {{- end }} - cd /config-input; - for PFILE in `find . -not -type d | grep -v -F ..`; do - envsubst <${PFILE} >/config/${PFILE}; - done" - env: - - name: AAI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "login") | indent 10 }} - - name: AAI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "password") | indent 10 }} - - - name: CONDUCTOR_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "login") | indent 10 }} - - name: CONDUCTOR_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "password") | indent 10 }} - - - name: SDNC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "login") | indent 10 }} - - name: SDNC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "password") | indent 10 }} - - - name: MUSIC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "login") | indent 10 }} - - name: MUSIC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "password") | indent 10 }} - - - name: AAF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 10 }} - - name: AAF_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 10 }} - - - name: POLICY_PLAT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "login") | indent 10 }} - - name: POLICY_PLAT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "password") | indent 10 }} - - - name: POLICY_CLI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "login") | indent 10 }} - - name: POLICY_CLI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_VFC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_VFC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "password") | indent 10 }} - - - name: OSDF_CM_SCHEDULER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "login") | indent 10 }} - - name: OSDF_CM_SCHEDULER_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "password") | indent 10 }} - - - name: CONFIG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "login") | indent 10 }} - - name: CONFIG_DB_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "password") | indent 10 }} - - - name: OSDF_PCI_OPT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "login") | indent 10 }} - - name: OSDF_PCI_OPT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "password") | indent 10 }} - - - name: OSDF_OPT_ENGINE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "login") | indent 10 }} - - name: OSDF_OPT_ENGINE_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "password") | indent 10 }} - - - name: SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "login") | indent 10 }} - - name: SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "password") | indent 10 }} - - - name: SDC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "login") | indent 10 }} - - name: SDC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 10 }} - {{- if .Values.cps.enabled }} - - name: CPS_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 10 }} - - name: CPS_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 10 }} - {{- end }} - - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-preload-input - - mountPath: /config/ - name: {{ include "common.name" . }}-preload - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms" - - --container-name - - "aaf-sms-quorumclient" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-preload - command: - - "/sms/bin/preload" - - "-cacert" - - "{{ .Values.certInitializer.mountPath }}/local/{{ .Values.certInitializer.root_ca_name }}" - - "-jsondir" - - "/preload/config" - - "-serviceport" - - "{{ .Values.service.internalPort }}" - - "-serviceurl" - - "https://aaf-sms.{{ include "common.namespace" . }}" - workingDir: /sms - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /preload/config - name: {{ include "common.name" . }}-preload - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-preload-input - configMap: - name: {{ include "common.fullname" . }}-preload - - name: {{ include "common.name" . }}-preload - emptyDir: - medium: Memory - restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/templates/pv.yaml deleted file mode 100644 index d06131feb5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ include "common.release" . }} - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml deleted file mode 100644 index c46d50607c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml b/kubernetes/aaf/components/aaf-sms/templates/secret.yaml deleted file mode 100644 index 7a0213f16c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -{{- if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-int-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/templates/service.yaml deleted file mode 100644 index 8f30164fec..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/values.yaml b/kubernetes/aaf/components/aaf-sms/values.yaml deleted file mode 100644 index 114ad23672..0000000000 --- a/kubernetes/aaf/components/aaf-sms/values.yaml +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - aafEnabled: true - -flavor: small - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: aaf-sms-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aaf-sms - fqi: aaf-sms@aaf-sms.onap.org - public_fqdn: aaf-sms.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - mountPath: /opt/app/osaaf - keystore: truststoreONAPall.jks - keystore_pass: changeit - root_ca_alias: onaptestca - root_ca_name: aaf_root_ca.cer - permission_user: 1000 - permission_group: 1000 - aaf_add_config: > - cd {{ .Values.mountPath }}/local; - keytool -exportcert -rfc -file {{ .Values.root_ca_name }} -keystore {{ .Values.keystore }} - -alias {{ .Values.root_ca_alias }} -storepass {{ .Values.keystore_pass }}; - chown -R {{.Values.permission_user}}:{{.Values.permission_group}} - {{ .Values.mountPath }}; - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/sms:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: - smsdbaddress: "http://aaf-sms-db:8200" - cafile: "/opt/app/osaaf/local/aaf_root_ca.cer" - servercert: "/opt/app/osaaf/local/org.onap.aaf-sms.crt" - serverkey: "/opt/app/osaaf/local/org.onap.aaf-sms.key" - password: "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZA==" - -# subchart configuration -vault: - nameOverride: smsdb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - -service: - type: ClusterIP - name: aaf-sms - portName: aaf-sms - internalPort: 10443 - externalPort: 10443 - -#define value for aaf-sms-quorumclient subchart -aaf-sms-quorumclient: - service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/auth - -ingress: - enabled: false - -cps: - enabled: true - -secrets: - - uid: aai-creds - type: basicAuth - login: '{{ .Values.oofCreds.aaiUsername }}' - password: '{{ .Values.oofCreds.aaiPassword }}' - passwordPolicy: required - - uid: conductor-creds - type: basicAuth - login: '{{ .Values.oofCreds.conductorUsername }}' - password: '{{ .Values.oofCreds.conductorPassword }}' - passwordPolicy: required - - uid: sdnc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdncUsername }}' - password: '{{ .Values.oofCreds.sdncPassword }}' - passwordPolicy: required - - uid: music-creds - type: basicAuth - login: '{{ .Values.oofCreds.musicUsername }}' - password: '{{ .Values.oofCreds.musicPassword }}' - passwordPolicy: required - - uid: aaf-creds - type: basicAuth - login: '{{ .Values.oofCreds.aafUsername }}' - password: '{{ .Values.oofCreds.aafPassword }}' - passwordPolicy: required - - uid: policy-plat-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyPlatUsername }}' - password: '{{ .Values.oofCreds.policyPlatPassword }}' - passwordPolicy: required - - uid: policy-cli-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyCliUsername }}' - password: '{{ .Values.oofCreds.policyCliPassword }}' - passwordPolicy: required - - uid: osdf-placement-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementPassword }}' - passwordPolicy: required - - uid: osdf-placement-so-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementSOUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementSOPassword }}' - passwordPolicy: required - - uid: osdf-placement-vfc-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementVFCUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementVFCPassword }}' - passwordPolicy: required - - uid: osdf-cm-scheduler-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfCMSchedulerUsername }}' - password: '{{ .Values.oofCreds.osdfCMSchedulerPassword }}' - passwordPolicy: required - - uid: config-db-creds - type: basicAuth - login: '{{ .Values.oofCreds.configDbUsername }}' - password: '{{ .Values.oofCreds.configDbPassword }}' - passwordPolicy: required - - uid: osdf-pci-opt-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPCIOptUsername }}' - password: '{{ .Values.oofCreds.osdfPCIOptPassword }}' - passwordPolicy: required - - uid: osdf-opt-engine-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfOptEngineUsername }}' - password: '{{ .Values.oofCreds.osdfOptEnginePassword }}' - passwordPolicy: required - - uid: so-creds - type: basicAuth - login: '{{ .Values.oofCreds.soUsername }}' - password: '{{ .Values.oofCreds.soPassword }}' - passwordPolicy: required - - uid: sdc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdcUsername }}' - password: '{{ .Values.oofCreds.sdcPassword }}' - passwordPolicy: required - - uid: cps-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.oofCreds.cpsUserExternalSecret) . }}' - login: '{{ .Values.oofCreds.cpsUsername }}' - password: '{{ .Values.oofCreds.cpsPassword }}' - passwordPolicy: required -oofCreds: - aaiUsername: oof@oof.onap.org - aaiPassword: demo123456! - - conductorUsername: admin1 - conductorPassword: plan.15 - - sdncUsername: admin - sdncPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - musicUsername: conductor - musicPassword: c0nduct0r - - aafUsername: aaf_admin@people.osaaf.org - aafPassword: demo123456! - - policyPlatUsername: healthcheck - policyPlatPassword: zb!XztG34 - - policyCliUsername: healthcheck - policyCliPassword: zb!XztG34 - - osdfPlacementUsername: test - osdfPlacementPassword: testpwd - - osdfPlacementSOUsername: so_test - osdfPlacementSOPassword: so_testpwd - - osdfPlacementVFCUsername: vfc_test - osdfPlacementVFCPassword: vfc_testpwd - - osdfCMSchedulerUsername: test1 - osdfCMSchedulerPassword: testpwd1 - - configDbUsername: osdf - configDbPassword: passwd - - osdfPCIOptUsername: pci_test - osdfPCIOptPassword: pci_testpwd - - osdfOptEngineUsername: opt_test - osdfOptEnginePassword: opt_testpwd - - soUsername: apihBpmn - soPassword: password1$ - - sdcUsername: aai - sdcPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - cpsUsername: '' - cpsPassword: '' - cpsUserExternalSecret: '{{ include "common.release" . }}-cps-core-app-user-creds' - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 100m - memory: 400Mi - requests: - cpu: 25m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 25m - memory: 100Mi - unlimited: {} - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-preload' - diff --git a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/Chart.yaml deleted file mode 100644 index b30fd76d90..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Hardware Security Components -name: aaf-sshsm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-sshsm-abrmd - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-abrmd' - condition: aaf-sshsm-abrmd.enabled - - name: aaf-sshsm-distcenter - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-distcenter' - condition: aaf-sshsm-distcenter.enabled - - name: aaf-sshsm-testca - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-testca' - condition: aaf-sshsm-testca.testca.enabled diff --git a/kubernetes/aaf/components/aaf-sshsm/Makefile b/kubernetes/aaf/components/aaf-sshsm/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/README.md b/kubernetes/aaf/components/aaf-sshsm/README.md deleted file mode 100644 index a6f2e62cb9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP Hardware Security Components - -This includes the following Kubernetes services: - -1. dist-center - A service that is used to create and distribute private keys -2. abrmd - A service that manages access to the TPM device - -# Service Dependencies - -All services depend on AAF \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/Makefile b/kubernetes/aaf/components/aaf-sshsm/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml deleted file mode 100644 index e6d6d6653d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Resource Manager -name: aaf-sshsm-abrmd -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml deleted file mode 100644 index 8555a3c153..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml deleted file mode 100644 index a2df4e53b9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-job-complete - command: - - /app/ready.py - args: - - -j - - "{{ include "common.fullname" . }}-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/run_abrmd.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml deleted file mode 100644 index 8a8b6bd8fe..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - backoffLimit: 2 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/initialize_tpm.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - env: - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ABRMD_DATA - value: /abrmd/data - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /abrmd/data - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - mountPath: "/abrmd/cred/" - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-data - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml deleted file mode 100644 index e97519aa3e..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/abrmd:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -# TPM specific node selection is done at parent chart aaf-sshsm -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml deleted file mode 100644 index 0d57836d10..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Distribution Center -name: aaf-sshsm-distcenter -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml deleted file mode 100644 index 2e82f5bd26..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml deleted file mode 100644 index f74b5c8f2d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-abrmd-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{ else }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-gen-passphrase - command: ["sh", "-c", "/usr/bin/openssl rand -base64 12 >/distcenter/data/passphrase"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: - limits: - cpu: 1 - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/entrypoint.sh"] - workingDir: /distcenter - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml deleted file mode 100644 index 22acb2a609..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml deleted file mode 100644 index 1c7f6ffe4a..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml deleted file mode 100644 index fb42843cb7..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - tpm: - enabled: true - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/distcenter:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sshsm/distcenter/data - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml deleted file mode 100644 index ec513a0748..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Test CA Service -name: aaf-sshsm-testca -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml deleted file mode 100644 index 71e7c299bc..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-distcenter-ready - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-distcenter" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-abrmd-ready - command: ["sh", "/sshsm/bin/abrmd_ready.sh", "300"] - workingDir: /testca/bin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["./import.sh"] - workingDir: /testca/bin - env: -{{- if .Values.global.tpm.enabled }} - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: DATA_FOLDER - value: /testca/data/host_$(TPM_NODE_NAME) -{{ else }} - - name: DATA_FOLDER - value: /testca/data -{{- end }} - - name: SECRETS_FOLDER - value: /testca/secrets - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /testca/data - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-secrets - mountPath: /testca/secrets - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end -}} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-secrets - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml deleted file mode 100644 index f116c6d5e9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/testcaservice:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd b/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd deleted file mode 100644 index 640b325898..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd +++ /dev/null @@ -1 +0,0 @@ -cHJpbWFyeXBhc3N3b3JkCg== diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle b/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle deleted file mode 100644 index b8b9d8ddb0..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle +++ /dev/null @@ -1 +0,0 @@ -MHg4MTAwMDAyMwo= diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml deleted file mode 100644 index b566b11458..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml deleted file mode 100644 index b3e7f9fabd..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml deleted file mode 100644 index b8971cc03c..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml deleted file mode 100644 index 7297d6f81d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml deleted file mode 100644 index 4be63fa18b..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ (.Files.Glob "resources/config/*").AsSecrets | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/values.yaml b/kubernetes/aaf/components/aaf-sshsm/values.yaml deleted file mode 100644 index 7e8d4f1352..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - # Standard OOM - pullPolicy: "Always" - - tpm: - enabled: false - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - persistence: {} - -aaf-sshsm-abrmd: - enabled: true -aaf-sshsm-distcenter: - enabled: true -aaf-sshsm-testca: - enabled: true - -persistence: - enabled: true - data: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/data - dbus: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/dbus - - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-templates/Chart.yaml b/kubernetes/aaf/components/aaf-templates/Chart.yaml deleted file mode 100644 index 301f65c9b0..0000000000 --- a/kubernetes/aaf/components/aaf-templates/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright © 2020-2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework Templates -name: aaf-templates -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl b/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl deleted file mode 100644 index c0614b255e..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl +++ /dev/null @@ -1,84 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.deployment" -}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" .) }} - annotations: - sidecar.istio.io/inject: "false" - {{- end }} - spec: {{ include "aaf.initContainers" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - workingDir: /opt/app/aaf - command: ["bin/{{ .Values.binary }}"] - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/osaaf/etc/org.osaaf.aaf.log4j.props - name: aaf-log - subPath: org.osaaf.aaf.log4j.props - - mountPath: /opt/app/osaaf/data/ - name: config-identity - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{.Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-config-vol - emptyDir: {} - - name: aaf-log - configMap: - name: {{ include "common.release" . }}-aaf-log - - name: config-init-identity - configMap: - name: {{ include "common.release" . }}-aaf-identity - - name: config-identity - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl b/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl deleted file mode 100644 index 755315296d..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl +++ /dev/null @@ -1,130 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.permissionFixer" -}} -- name: onboard-identity-and-fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-identity/* /config-identity/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-identity - chown -R 1000:1000 /opt/app/aaf - chown -R 1000:1000 /opt/app/osaaf - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - mountPath: /config-input-identity - name: config-init-identity - - mountPath: /config-identity - name: config-identity - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.podConfiguration" }} -- name: {{ include "common.name" . }}-config-container - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - args: - - -c - - | - cd /opt/app/aaf_config - bin/agent.sh - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "aaf-cass.{{ .Release.Namespace }}" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.initContainers" -}} -initContainers: -{{ include "aaf.permissionFixer" . }} -{{- if .Values.sequence_order }} -- name: {{ include "common.name" . }}-aaf-readiness - command: - - /app/ready.py - args: - {{- range $container := .Values.sequence_order }} - - --container-name - - aaf-{{ $container}} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} -{{ include "aaf.podConfiguration" . }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-templates/values.yaml b/kubernetes/aaf/components/aaf-templates/values.yaml deleted file mode 100644 index 73efdc6132..0000000000 --- a/kubernetes/aaf/components/aaf-templates/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/kubernetes/aaf/resources/data/identities.dat b/kubernetes/aaf/resources/data/identities.dat deleted file mode 100644 index 4813cc19fc..0000000000 --- a/kubernetes/aaf/resources/data/identities.dat +++ /dev/null @@ -1,94 +0,0 @@ -{{/* -# -# Sample Identities.dat -# This file is for use with the "Default Organization". It is a simple mechanism to have a basic ILM structure to use with -# out-of-the-box tire-kicking, or even for Small companies -# -# For Larger Companies, you will want to create a new class implementing the "Organization" interface, making calls to your ILM, or utilizing -# batch feeds, as is appropriate for your company. -# -# Example Field Layout. note, in this example, Application IDs and People IDs are mixed. You may want to split -# out AppIDs, choose your own status indicators, or whatever you use. -# 0 - unique ID -# 1 - full name -# 2 - first name -# 3 - last name -# 4 - phone -# 5 - official email -# 6 - employment status e=employee, c=contractor, a=application, n=no longer with company -# 7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID) -# -*/}} - -iowna|Ima D. Owner|Ima|Owner|314-123-2000|ima.d.owner@people.osaaf.com|e| -mmanager|Mark D. Manager|Mark|Manager|314-123-1234|mark.d.manager@people.osaaf.com|e|iowna -bdevl|Robert D. Developer|Bob|Developer|314-123-1235|bob.d.developer@people.osaaf.com|e|mmanager -mmarket|Mary D. Marketer|Mary|Marketer|314-123-1236|mary.d.marketer@people.osaaf.com|e|mmanager -ccontra|Clarice D. Contractor|Clarice|Contractor|314-123-1237|clarice.d.contractor@people.osaaf.com|c|mmanager -iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@people.osaaf.com|n|mmanager - -# Portal Identities -portal|ONAP Portal Application|PORTAL|ONAP Application|314-123-1234|portal@people.osaaf.com|a|aaf_admin -shi|ONAP SHI Portal Identity|shi|Portal Application|314-123-1234|shi@people.osaaf.com|a|aaf_admin -demo|PORTAL DEMO|demo|PORTAL|DEMO|314-123-1234|demo@people.osaaf.com|e|aaf_admin -jh0003|PORTAL ADMIN|jh|PORTAL ADMIN|314-123-1234|jh0003@people.osaaf.com|e|aaf_admin -cs0008|PORTAL DESIGNER|cs|PORTAL DESIGNER|314-123-1234|cs0008@people.osaaf.com|e|aaf_admin -jm0007|PORTAL TESTER|jm|PORTAL TESTER|314-123-1234|jm0007@people.osaaf.com|e|aaf_admin -op0001|PORTAL OPS|op|PORTAL OPS|314-123-1234|op0001@people.osaaf.com|e|aaf_admin -gv0001|GV PORTAL|gv|PORTAL|314-123-1234|gv0001@people.osaaf.com|e|aaf_admin -pm0001|PM PORTAL|pm|PORTAL|314-123-1234|pm0001@people.osaaf.com|e|aaf_admin -gs0001|GS PORTAL|gs|PORTAL|314-123-1234|gs0001@people.osaaf.com|e|aaf_admin -ps0001|PS PORTAL|ps|PORTAL|314-123-1234|ps0001@people.osaaf.com|e|aaf_admin - -# AAF Defined Users -aaf_admin|AAF Administrator|Mr AAF|AAF Admin|314-123-1234|aaf_admin@people.osaaf.com|e|mmanager -deployer|Deployer|Deployer|Depoyer|314-123-1234|deployer@people.osaaf.com|e|aaf_admin - -# Requested Users -portal_admin|Portal Admin|Portal|Admin|314-123-1234|portal_admin@people.osaaf.com|e|mmanager - -# ONAP App IDs -a1p|A1 Policy Mangement|A1P|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf|AAF Application|AAF|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf-sms|AAF SMS Application|AAF SMS|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -clamp|ONAP CLAMP Application|CLAMP|Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai|ONAP AAI Application|AAI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-resources|ONAP AAI Resources Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-schema-service|ONAP AAI Schema Service Application|AAI Schema Service|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-traversal|ONAP AAI Traversal Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc|ONAP APPC Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc-cdt|ONAP APPC CDT Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -cli|ONAP CLI Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dcae|ONAP DCAE Application|CLAMP|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -oof|ONAP OOF Application|OOF|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -so|ONAP SO Application|SO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdc|ONAP SDC Application|SDC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc|ONAP SDNC Application|SDNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc-cds|ONAP SDNC CDS Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vfc|ONAP VFC Application|VNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -policy|ONAP Policy Application|POLICY|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -pomba|ONAP Pomba Application|POMBA|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes|ONAP Holmes Application|HOLMES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-engine-mgmt|ONAP Holmes Engine Management Application|HOLMES-ENGINE|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-rule-mgmt|ONAP Holmes Rules Management Application|HOLMES-RULES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -nbi|ONAP NBI Application|NBI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-eag|ONAP MSB EAG Application|MSB EAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-iag|ONAP MSB IAG Application|MSB IAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -music|ONAP MUSIC Application|MUSIC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -refrepo|ONAP REFREPO Application|REFREPO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -uui|ONAP UUI Application|UUI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# VID Identities -vid|ONAP VID Application|VID|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid1|ONAP VID Application 1|VID 1|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid2|ONAP VID Application 2|VID 2|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# DMAAP Identities -dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-topic-mgr|ONAP DMaap BC Topic Manager|DMaap BC Topic Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-mm-prov|ONAP DMaap BC Provisioning Manager|DMaap BC Provision Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr|ONAP DMaap DR|Prov|DMaap DR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-prov|ONAP DMaap DR Prov|Prov|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-node|ONAP DMaap DR Node|Node|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#deprecate these in El Alto -dmaapmr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#dmaap.mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager diff --git a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props b/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props deleted file mode 100644 index 4120913d99..0000000000 --- a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props +++ /dev/null @@ -1,53 +0,0 @@ -######### -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2020 Orange Intellectual Property. All rights reserved. -# =========================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END==================================================== -# - -log4j.appender.INIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.INIT.File=${LOG4J_FILENAME_init} -log4j.appender.INIT.DatePattern='.'yyyy-MM-dd -log4j.appender.INIT.layout=org.apache.log4j.PatternLayout -log4j.appender.INIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.SRVR=org.apache.log4j.DailyRollingFileAppender -log4j.appender.SRVR.File=${LOG4J_FILENAME_service} -log4j.appender.SRVR.DatePattern='.'yyyy-MM-dd -log4j.appender.SRVR.layout=org.apache.log4j.PatternLayout -log4j.appender.SRVR.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %p [%c] %m %n - -log4j.appender.AUDIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.AUDIT.File=${LOG4J_FILENAME_audit} -log4j.appender.AUDIT.DatePattern='.'yyyy-MM-dd -log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout -log4j.appender.AUDIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.stdout=org.apache.log4j.ConsoleAppender -log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] %m %n - -# General Apache libraries -log4j.rootLogger=WARN.SRVR -log4j.logger.org.apache=WARN,SRVR -log4j.logger.com.datastax=WARN,SRVR -log4j.logger.init=INFO,INIT,stdout -log4j.logger.service=${LOGGING_LEVEL},SRVR,stdout -log4j.logger.audit=INFO,AUDIT -# Additional configs, not caugth with Root Logger -log4j.logger.io.netty=INFO,SRVR -log4j.logger.org.eclipse=INFO,SRVR \ No newline at end of file diff --git a/kubernetes/aaf/templates/configmap.yaml b/kubernetes/aaf/templates/configmap.yaml deleted file mode 100644 index 969046551b..0000000000 --- a/kubernetes/aaf/templates/configmap.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-identity - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/data/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml deleted file mode 100644 index b014360833..0000000000 --- a/kubernetes/aaf/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - cmpv2Enabled: true - addTestingComponents: false - aaf: - readiness: false - image: onap/aaf/aaf_core:2.1.23 - aaf_env: "DEV" - public_fqdn: "aaf.osaaf.org" - aaf_release: "Frankfurt" - # DUBLIN ONLY - for M4 compatibility with Casablanca - # aaf_locator_name: "public.%NS.%N" - # aaf_locator_name_oom: "%NS.%N" - # EL ALTO and Beyond - aaf_locator_name: "%NS.%N" - aaf_locator_name_oom: "%CNS.%NS.%N" - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - cadi_x509_issuers: "CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US" - - config: - image: onap/aaf/aaf_config:2.1.23 - - service: - fqdn: "aaf-service" - internal_port: 8100 - public_port: 31110 - locate: - fqdn: "aaf-locate" - internal_port: 8095 - public_port: 31111 - oauth: - fqdn: "aaf-oauth" - internal_port: 8140 - public_port: 31112 - -################################################################# -# Application configuration defaults. -################################################################# - -flavor: small -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 350 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 150 - periodSeconds: 10 - -ingress: - enabled: false - service: - - baseaddr: "aaf.api" - name: "aaf-service" - port: 8100 - config: - ssl: "none" - -persistence: {} - -resources: {} - -aaf-authz: - enabled: true -aaf-sms: - enabled: true -aaf-sshsm: - enabled: false diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index e02c624e59..7f00c2f002 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,56 +18,50 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' condition: global.cassandra.localCluster - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: aai-babel - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-babel' condition: aai-babel.enabled - name: aai-graphadmin - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-graphadmin' condition: aai-graphadmin.enabled - name: aai-modelloader - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-modelloader' condition: aai-modelloader.enabled - name: aai-resources - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-resources' condition: aai-resources.enabled - name: aai-schema-service - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-schema-service' condition: aai-schema-service.enabled - name: aai-sparky-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-sparky-be' condition: aai-sparky-be.enabled - name: aai-traversal - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/aai-traversal' condition: aai-traversal.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index 11b561cc9f..447b59f573 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties index 6a3a74c0a6..96f1a3eb89 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/application.properties +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,17 +16,8 @@ # limitations under the License. */}} server.port=9516 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=need -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/services/babel-service diff --git a/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index e52ac7a6d1..24d34e861c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020,2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +19,9 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: {{ .Values.updateStrategy.type }} @@ -39,29 +31,13 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Babel" - /bin/bash /opt/app/babel/bin/start.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -77,16 +53,11 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - {{- if not (include "common.needTLS" .) }} - name: KEY_STORE_PASSWORD value: NotUsed - {{- end }} - name: CONFIG_HOME value: /opt/app/babel/config - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/babel/config/application.properties name: config subPath: application.properties @@ -106,8 +77,7 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -120,10 +90,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }}-configmap @@ -134,5 +101,4 @@ spec: emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml index 87a29db457..86141abe90 100644 --- a/kubernetes/aai/components/aai-babel/templates/service.yaml +++ b/kubernetes/aai/components/aai-babel/templates/service.yaml @@ -16,29 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{- if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end }} - - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index ca23bc96c1..e058d82e46 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020, 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,47 +20,12 @@ ################################################################# global: {} -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-babel-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/babel:1.11.0 +image: onap/babel:1.12.3 flavor: small flavorOverride: small @@ -90,10 +56,11 @@ readiness: service: type: NodePort - portName: http - externalPort: 9516 internalPort: 9516 - nodePort: 79 + ports: + - name: http + port: 9516 + nodePort: 79 ingress: enabled: false @@ -104,21 +71,28 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-modelloader-read + - serviceAccount: istio-ingress + namespace: istio-ingress + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index 239bcad749..69abea193f 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -4,7 +4,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,21 +22,15 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index f768338d99..8f63ac85ab 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,16 +25,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -41,13 +35,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 6e64fd8400..b63cd83158 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright � 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright � 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,7 +35,7 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} +spring.profiles.active={{ .Values.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -49,23 +50,13 @@ server.local.startpath=/opt/app/aai-graphadmin/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8449 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61649 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -101,29 +92,19 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +schema.service.client=no-auth -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.rdbmsname=aai_relational -aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +aperture.service.client=no-auth aperture.service.base.url=http://localhost:8457/aai/aperture -{{ if ( include "common.needTLS" .) }} -aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.service.timeout-in-milliseconds=300000 #To Expose the Prometheus scraping endpoint -management.port=8448 +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus endpoints.enabled=false management.security.enabled=false \ No newline at end of file diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties index ccd9864fb6..40dc674e8b 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties @@ -26,8 +26,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -37,8 +35,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 3e1479e335..cad213ab9e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -46,6 +53,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -53,50 +66,7 @@ spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} {{ if .Values.global.initContainers.enabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: {{ if .Values.global.jobs.migration.enabled }} - /app/ready.py @@ -111,13 +81,9 @@ spec: {{ else }} - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service {{ end }} env: @@ -129,6 +95,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{ end }} containers: - name: {{ include "common.name" . }} @@ -145,10 +118,7 @@ spec: value: {{ .Values.service.internalPort2 | quote }} - name: INTERNAL_PORT_3 value: {{ .Values.service.internalPort3 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -174,8 +144,11 @@ spec: subPath: application.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} - containerPort: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -202,8 +175,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -216,10 +188,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -227,13 +196,7 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index a93c6107e7..c949f7dbf8 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,55 +59,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra + - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} env: - name: NAMESPACE valueFrom: @@ -116,6 +74,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-backup-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job @@ -135,10 +100,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -168,21 +130,14 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties - name: migration @@ -192,6 +147,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index a9349028f4..5046b0c06b 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -53,60 +54,13 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service env: - name: NAMESPACE @@ -117,6 +71,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -135,10 +96,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -166,10 +124,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logs emptyDir: {} @@ -177,14 +133,8 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 10b8255c50..92474032b1 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,60 +59,13 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service env: - name: NAMESPACE @@ -122,6 +76,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -133,10 +94,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -180,10 +138,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -211,10 +166,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} @@ -225,16 +178,10 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} --- apiVersion: batch/v1 kind: Job @@ -259,55 +206,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra + - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} env: - name: NAMESPACE valueFrom: @@ -317,6 +221,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-backup-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job @@ -336,10 +247,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -369,10 +277,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.resources" . | nindent 10 }} - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: config @@ -391,6 +297,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 6350f858f1..e3f7569767 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -27,6 +27,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -36,20 +37,26 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} - port: {{ .Values.service.internalPort3 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} - port: {{ .Values.service.internalPort3 }} name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index 2ac55459bb..8b6b5f906a 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -5,6 +5,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,8 @@ global: # global defaults cassandra: #This will instantiate AAI cassandra cluster, default:shared cassandra. localCluster: false + # flag to enable the DB creation via k8ssandra-operator + useOperator: true initContainers: enabled: true jobs: @@ -61,7 +64,7 @@ global: # global defaults # Specifies if the connection should be one way ssl, two way ssl or no auth # will be set to no-auth if tls is disabled service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will # make a rest request to schema service translator: @@ -76,11 +79,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -98,53 +101,8 @@ global: # global defaults realtime: clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-graphadmin-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/aai-graphadmin:1.11.1 +image: onap/aai-graphadmin:1.12.3 pullPolicy: Always restartPolicy: Always flavor: small @@ -165,9 +123,8 @@ config: # Specify the profiles for the graphadmin microservice profiles: - # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and - # serviceMesh.tls is set to tru - active: dmaap #,one-way-ssl" + + active: dmaap # Specifies the timeout limit for the REST API requests timeout: @@ -240,13 +197,18 @@ service: internalPort: 8449 portName2: tcp-5005 internalPort2: 5005 - portName3: aai-graphadmin-8448 + portName3: http-graphadmin internalPort3: 8448 terminationGracePeriodSeconds: 120 ingress: enabled: false +# No inbound communications. +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + persistence: enabled: true ## A manually managed Persistent Volume and Claim @@ -271,38 +233,38 @@ persistence: # To make logback capping values configurable logback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 6GB queueSize: 1000 accessLogback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 6GB resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1536Mi + cpu: "0.5" + memory: "1.6Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "3.2Gi" unlimited: {} metrics: serviceMonitor: enabled: false targetPort: 8448 - path: /prometheus + path: /actuator/prometheus basicAuth: enabled: false @@ -318,8 +280,8 @@ metrics: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Pods Service Account serviceAccount: diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 56aad3ecec..123da099a5 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-modelloader/resources/application.properties b/kubernetes/aai/components/aai-modelloader/resources/application.properties new file mode 100644 index 0000000000..f910af1cae --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/resources/application.properties @@ -0,0 +1,31 @@ +# Note that the start.sh script sets the following System Properties +# We provide default values here for testing purposes +AJSC_HOME=. +CONFIG_HOME=appconfig-local +com.att.eelf.logging.path=src/main/resources +com.att.eelf.logging.file=logback.xml +logback.configurationFile=${com.att.eelf.logging.path}/${com.att.eelf.logging.file} + +server.port=9500 +#server.ssl.key-store= +#server.ssl.key-store-password= +#server.ssl.keyStoreType= +#server.ssl.keyAlias= + +spring.application.name=aai-model-loader + +spring.sleuth.enabled={{ .Values.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c,b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + +server.tomcat.threads.max=200 +# The minimum number of threads always kept alive +server.tomcat.threads.min-spare=25 + +# Spring Boot logging +logging.config=${logback.configurationFile} diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 deleted file mode 100644 index ee57120fa0..0000000000 Binary files a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 and /dev/null differ diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index bc53b4b764..e32f48f77f 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,37 +18,24 @@ # Model Loader Distribution Client Configuration */}} ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -{{ if ( include "common.needTLS" .) }} -ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 -ml.distribution.ASDC_USE_HTTPS=true -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE= -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ else }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 ml.distribution.ASDC_USE_HTTPS=false ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE= ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ end }} -ml.distribution.CONSUMER_GROUP={{ .Values.config.kafka.sdcTopic.consumerGroup }} -ml.distribution.CONSUMER_ID={{ .Values.config.kafka.sdcTopic.clientId }} +{{- with (first .Values.kafkaUser.acls) }} +ml.distribution.CONSUMER_GROUP={{ .name }} +ml.distribution.CONSUMER_ID={{ .name }}-model-loader ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai +ml.distribution.USER={{ .name }} +{{- end }} ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR # Model Loader AAI REST Client Configuration -{{ if ( include "common.needTLS" .) }} -ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443 -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -ml.aai.USE_HTTPS= true -{{ else }} ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:80 ml.aai.USE_HTTPS= false -{{ end }} ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/ ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/ ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images @@ -58,16 +46,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw # Model Loader Babel REST Client Configuration\r ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts -{{ if ( include "common.needTLS" .) }} -ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} -ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD} -ml.babel.USE_HTTPS= true -{{ else }} ml.babel.KEYSTORE_FILE= ml.babel.KEYSTORE_PASSWORD= ml.babel.TRUSTSTORE_FILE= ml.babel.TRUSTSTORE_PASSWORD= ml.babel.USE_HTTPS= false -{{ end }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml b/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml deleted file mode 100644 index d7e37e215a..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* - # Copyright © 2022 Nordix Foundation - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - */}} - -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.aaiSdcListenerKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMechanism | lower }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} - operation: All - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.sdcTopic.pattern }} - operation: All diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index 534fd021da..d3fd509dcd 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -26,6 +26,7 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index d3136d8dda..8dee92f77e 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -43,6 +50,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} spec: {{- if .Values.nodeSelector }} @@ -51,50 +64,6 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: prop-config-input - - mountPath: /config - name: prop-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -102,21 +71,18 @@ spec: env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ - - name: SECURITY_PROTOCOL - value: {{ .Values.config.kafka.securityProtocol }} - - name: SASL_MECHANISM - value: {{ .Values.config.kafka.saslMechanism }} - name: SASL_JAAS_CONFIG - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties name: prop-config - - mountPath: /opt/app/model-loader/config/auth/ - name: auth-config + - mountPath: /opt/app/model-loader/application.properties + subPath: application.properties + name: prop-config - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/model-loader/logback.xml @@ -126,21 +92,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: prop-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: prop-config-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-prop - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -148,5 +103,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-log restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml b/kubernetes/aai/components/aai-modelloader/templates/secret.yaml deleted file mode 100644 index 70b0857938..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} ---- -{{ include "common.secretFast" . }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 09bb32dd43..ab3d8646c2 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,73 +19,24 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 - aaiSdcListenerKafkaUser: aai-sdc-list-user -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: aai-sdc-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-ml-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/model-loader/config/auth/aaf - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} # application image -image: onap/model-loader:1.12.0 +image: onap/model-loader:1.13.6 pullPolicy: Always restartPolicy: Always flavor: small flavorOverride: small -# application configuration -config: - someConfig: blah - kafka: - securityProtocol: SASL_PLAINTEXT - saslMechanism: SCRAM-SHA-512 - authType: simple - sdcTopic: - pattern: SDC-DIST - consumerGroup: aai - clientId: aai-model-loader +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: aai + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] # default number of instances replicaCount: 1 @@ -113,20 +65,29 @@ readiness: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 1536Mi + cpu: "1" + memory: "2Gi" unlimited: {} +tracing: + enabled: true + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - /aai/util.* + #Pods Service Account serviceAccount: nameOverride: aai-modelloader @@ -135,8 +96,8 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index fc8ad97b45..3594492675 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties deleted file mode 100644 index ec5fd55e06..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-resources/resources/aaf/org.osaaf.location.props:/opt/app/aai-resources/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index f4bb9ee89c..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,15 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright © 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-resources/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index 8ae66aaf79..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,24 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties deleted file mode 100644 index 4234121a2d..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.resources -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index a569b5366b..adabae3ac7 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,15 +39,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if .Values.global.config.basic.auth.enabled }} aai.tools.enableBasicAuth=true @@ -54,13 +49,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index b5b64bec4b..1b7bdf8ff6 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +28,17 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled = false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }} +spring.profiles.active={{ .Values.global.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,23 +53,13 @@ server.local.startpath=aai-resources/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8447 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -96,23 +95,16 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} - -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +schema.service.client=no-auth #to expose the Prometheus scraping endpoint -management.port=8448 -management.endpoints.enabled-by-default=false -management.security.enabled=false -endpoints.enabled=false -endpoints.info.enabled=false -endpoints.prometheus.enabled=false -endpoints.health.enabled=false +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} management.metrics.web.server.auto-time-requests=false management.metrics.distribution.percentiles-histogram[http.server.requests]=true management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties index 836dc7b176..4835560665 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties @@ -90,7 +90,17 @@ log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} {{ end }} storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false + +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{ if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{ end }} + #load graphson file on startup load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml index 5ddd293658..07919a97a2 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml @@ -27,14 +27,17 @@ - + + + + class="ch.qos.logback.core.rolling.RollingFileAppender"> ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd}.zip @@ -43,17 +46,36 @@ ${totalSizeCap} - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} + %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} + %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} + %i{X-AAI-SSL-Client-DN} %D - + - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} + %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} + %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - + "logType": "access" + + + + + /aai/util/echo + + NEUTRAL + DENY + + + @@ -83,5 +105,4 @@ %z - Custom pattern that parses the cert for the subject %y - Custom pattern determines rest or dme2 --> -*/}} - +*/}} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/realm.properties b/kubernetes/aai/components/aai-resources/resources/config/realm.properties index 9fbd122492..f254d03631 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/realm.properties @@ -21,8 +21,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -32,8 +30,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index 99973565f8..eccc4ba491 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -34,19 +34,3 @@ data: {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-aaf-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 33aa97179e..122e522bb1 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -3,6 +3,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -43,6 +50,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -79,7 +92,7 @@ spec: spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py @@ -92,13 +105,9 @@ spec: - --job-name - {{ include "common.release" . }}-aai-graphadmin-create-db-schema {{- else }} - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service {{- end }} {{- end }} @@ -110,6 +119,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -119,29 +135,34 @@ spec: args: - -c - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) echo "*** actual launch of AAI Resources" /bin/bash /opt/app/aai-resources/docker-entrypoint.sh env: + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.global.config.groupId | quote }} - - name: POST_JAVA_OPTS - value: '-Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststorePassword }}' - - name: TRUSTORE_ALL_PASSWORD - value: {{ .Values.certInitializer.truststorePassword }} - name: INTERNAL_PORT_1 value: {{ .Values.service.internalPort | quote }} - name: INTERNAL_PORT_2 value: {{ .Values.service.internalPort2 | quote }} - name: INTERNAL_PORT_3 value: {{ .Values.service.internalPort3 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -162,21 +183,6 @@ spec: - mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties name: {{ include "common.fullname" . }}-config subPath: realm.properties - - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv - name: {{ include "common.fullname" . }}-aaf-certs - subPath: bath_config.csv - - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.onap.aai.props - - mountPath: /opt/app/aai-resources/resources/aaf/org.osaaf.location.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.osaaf.location.props - - mountPath: /opt/app/aai-resources/resources/aaf/permissions.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: permissions.properties - - mountPath: /opt/app/aai-resources/resources/cadi.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: cadi.properties - mountPath: /opt/app/aai-resources/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties @@ -185,8 +191,18 @@ spec: subPath: application-keycloak.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- if .Values.config.debug.enabled }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} + {{- end }} - containerPort: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.internalPort4 }} + name: {{ .Values.service.portName4 }} + {{- end }} + lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -206,7 +222,7 @@ spec: httpGet: path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} + scheme: HTTP httpHeaders: - name: X-FromAppId value: LivenessCheck @@ -221,7 +237,7 @@ spec: httpGet: path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} + scheme: HTTP httpHeaders: - name: X-FromAppId value: ReadinessCheck @@ -231,7 +247,7 @@ spec: value: application/json initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -241,22 +257,12 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-aaf-properties - configMap: - name: {{ include "common.fullname" . }}-aaf-props - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf-keys restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-resources/templates/secret.yaml b/kubernetes/aai/components/aai-resources/templates/secret.yaml deleted file mode 100644 index a0d8629459..0000000000 --- a/kubernetes/aai/components/aai-resources/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf-keys - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 8feb071bc6..0613129aac 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -21,6 +21,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,20 +31,26 @@ spec: {{ if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} - port: {{ .Values.service.internalPort3 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} - port: {{ .Values.service.internalPort3 }} name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- end }} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index de7bf2dd84..b1d32028c2 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,8 +34,6 @@ global: # global defaults migration: enabled: false - aafEnabled: false - config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -51,8 +50,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - # aaf-auth profile will be automatically set if aaf enabled is set to true - active: production,dmaap #,aaf-auth + active: production,dmaap # Notification event specific properties notification: @@ -63,7 +61,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -77,11 +75,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -123,41 +121,9 @@ aai_enpoints: url: network - name: aai-externalSystem url: external-system -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-resources-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-resources - fqi: aai-resources@aai-resources.onap.org - public_fqdn: aai-resources.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-resources - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-resources:1.11.0 +image: onap/aai-resources:1.13.0 pullPolicy: Always restartPolicy: Always flavor: small @@ -188,6 +154,18 @@ config: # to the user in keycloak multiTenancy: enabled: true + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (traversal) will only be visible + # after time specified in db-cache-time + enabled: false + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.1 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # Specifies crud related operation timeouts and overrides crud: @@ -209,6 +187,33 @@ config: # Specifies if the bulk can be override and if it can the value override: false + # environment variables added to the launch of the image in deployment + env: + MIN_HEAP_SIZE: "512m" + MAX_HEAP_SIZE: "1024m" + MAX_METASPACE_SIZE: "512m" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + # port-forward, i.e: + # $ PODNAME=traversal + # $ kubectl -n ${NAMESPACE:=onap} port-forward pod/$(kubectl -n ${NAMESPACE:=onap} + # get pods | awk '{print $1}' | grep -m1 -e "$PODNAME") 9999:9999 + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + nodeSelector: {} affinity: {} @@ -231,7 +236,7 @@ service: internalPort: 8447 portName2: tcp-5005 internalPort2: 5005 - portName3: aai-resources-8448 + portName3: http-resources internalPort3: 8448 terminationGracePeriodSeconds: 120 sessionAffinity: None @@ -239,6 +244,12 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -251,33 +262,48 @@ ingress: # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "6Gi" unlimited: {} +tracing: + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - /aai/util.* + +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + metrics: serviceMonitor: enabled: false targetPort: 8448 - path: /prometheus + path: /actuator/prometheus basicAuth: enabled: false externalSecretName: mysecretname @@ -338,12 +364,13 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # To make logback capping values configurable logback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 1GB queueSize: 1000 accessLogback: - logToFileEnabled: true + livenessAccessLogEnabled: false # false: do not log kubernetes liveness probes + logToFileEnabled: false maxHistory: 7 totalSizeCap: 1GB diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index c04342fdd9..3860826d1b 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2019 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties index a2abaf3785..4c620a0028 100644 --- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties @@ -4,6 +4,7 @@ # org.onap.aai # ================================================================================ # Copyright © 2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,15 +20,9 @@ # ============LICENSE_END========================================================= */}} -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -35,12 +30,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} aai.default.api.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties index a3f7998a8f..20dc6bc520 100644 --- a/kubernetes/aai/components/aai-schema-service/config/application.properties +++ b/kubernetes/aai/components/aai-schema-service/config/application.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,18 +38,8 @@ server.local.startpath=aai-schema-service/src/main/resources/ server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties server.port=8452 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} schema.configuration.location=N/A schema.source.name={{ .Values.global.config.schema.source.name }} diff --git a/kubernetes/aai/components/aai-schema-service/config/realm.properties b/kubernetes/aai/components/aai-schema-service/config/realm.properties index 7c8539dbe7..8ed63174df 100644 --- a/kubernetes/aai/components/aai-schema-service/config/realm.properties +++ b/kubernetes/aai/components/aai-schema-service/config/realm.properties @@ -4,8 +4,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -16,8 +14,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index 8a7c43f0b9..0ecc2b2d80 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -43,58 +50,26 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Schema Service" - /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh - {{- end }} env: - name: LOCAL_USER_ID value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -114,7 +89,9 @@ spec: subPath: application.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -129,8 +106,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -143,13 +119,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -169,5 +142,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-realm restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index b54b6be644..79f01d6638 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -21,6 +21,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,15 +31,19 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} {{- end }} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 50e12e8e4d..ccda86dc0d 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,11 +41,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -58,43 +59,8 @@ global: # global defaults edge: label: v12 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-schema-service-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-schema-service - fqi: aai-schema-service@aai-schema-service.onap.org - public_fqdn: aai-schema-service.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-schema-service - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/aai-schema-service:1.11.0 +image: onap/aai-schema-service:1.12.3 pullPolicy: Always restartPolicy: Always flavorOverride: small @@ -132,6 +98,13 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-graphadmin-read + - serviceAccount: aai-resources-read + - serviceAccount: aai-traversal-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -144,26 +117,26 @@ ingress: # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account @@ -174,8 +147,8 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 2bfb7f231a..a057002f57 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index ee1341751f..178adb80b3 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,9 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm #schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://:/onap/schema-service/v1/ -{{ if ( include "common.needTLS" .) }} -oxm.schemaServiceBaseUrl=https:///aai/schema-service/v1/ -oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} -oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} -{{ else }} + oxm.schemaServiceBaseUrl=http:///aai/schema-service/v1/ -{{ end }} + # Schema Service need this variable for the time being diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 7c82d1f90d..e9ed63e76e 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,16 +16,7 @@ */}} resources.hostname=aai -{{ if ( include "common.needTLS" .) }} -resources.port=8443 -resources.authType=SSL_BASIC -resources.basicAuthUserName=aai@aai.onap.org -resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek -resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -resources.trust-store-password=${TRUSTSTORE_PASSWORD} -resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -resources.client-cert-password=${KEYSTORE_PASSWORD} -{{ else }} + resources.port=80 resources.authType=HTTP_NOAUTH -{{ end }} + diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 422e7ce150..c6e1baac2a 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,13 +14,6 @@ # limitations under the License. server.port=8000 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} + diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 90cb00069e..b5ad6b3f4a 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,16 +23,10 @@ spring.mvc.favicon.enabled=false # and in the values.yaml change the internalPort to 9517 # -spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }} +spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,http portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 -{{ if ( include "common.needTLS" .) }} -searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -searchservice.client-cert-password=${KEYSTORE_PASSWORD} -searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -searchservice.truststore-password=${TRUSTSTORE_PASSWORD} -{{ end }} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties deleted file mode 100644 index 67268e33e2..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties +++ /dev/null @@ -1 +0,0 @@ -cipher.enc.key=AGLDdG4D04BKm2IxIWEr8o==! diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties deleted file mode 100644 index 7a0fb8250b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -################################################################################ -############################## Portal properties ############################### -################################################################################ - -# Java class that implements the ECOMP role and user mgt API -*/}} -portal.api.impl.class = org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl - -# Instance of ECOMP Portal where the app has been on-boarded -# use insecure http for dev purposes to avoid self-signed certificate -ecomp_rest_url = https://portal-app:8443/ONAPPORTAL/auxapi - -# Standard global logon page -ecomp_redirect_url = https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm - -# Name of cookie to extract on login request -csp_cookie_name = EPService -# Alternate values: DEVL, V_DEVL, V_PROD -csp_gate_keeper_prod_key = PROD - -# Toggles use of UEB -ueb_listeners_enable = false -# IDs application withing UEB flow -ueb_app_key=ueb_key_7 -# Use this tag if the app is centralized -role_access_centralized=remote - -# Connection and Read timeout values -ext_req_connection_timeout=15000 -ext_req_read_timeout=20000 - -#Add AAF namespace if the app is centralized -auth_namespace={{ .Values.certInitializer.fqi_namespace }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties deleted file mode 100644 index baefd9806b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties +++ /dev/null @@ -1,49 +0,0 @@ -# Configure AAF -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 -aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -#aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE -# AAF Environment Designation - -#if you are running aaf service from a docker image you have to use aaf service IP and port number -aaf_id={{ .Values.certInitializer.fqi }} -#Encrypt the password using AAF Jar -aaf_password={{ .Values.certInitializer.aafDeployPass }} -# Sample CADI Properties, from CADI 1.4.2 -#hostname=org.onap.aai.orr -csp_domain=PROD -# Add Absolute path to Keyfile -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias={{ .Values.certInitializer.fqi }} - -# This is required to accept Certificate Authentication from Certman certificates. -# can be TEST, IST or PROD -aaf_env=DEV - -# DEBUG prints off all the properties. Use to get started. -cadi_loglevel=DEBUG - -# Add Absolute path to truststore2018.jks -cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -# how to turn on SSL Logging -#javax.net.debug=ssl - -# Use "maps.bing.com" to get Lat and Long for an Address -AFT_LATITUDE=32.780140 -AFT_LONGITUDE=-96.800451 -AFT_ENVIRONMENT=AFTUAT -AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=true -DME2.DEBUG=true -AFT_DME2_HTTP_EXCHANGE_TRACE_ON=true - -cadi_latitude=32.780140 -cadi_longitude=-96.800451 - -aaf_root_ns=com.att.aaf -aaf_api_version=2.0 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile deleted file mode 100644 index 921ce6714a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile +++ /dev/null @@ -1,27 +0,0 @@ -77E_fh-8gTjeg8egAo-JgNkXYm1FGEBPMo44vKPgKyGCJj9Dn0xJqIBct2Ko35X4_HSU3wPq3I2q -YHIvJCjmzXTVu2zvu4rIGTlwycTtLGDkgPyhOYFytv4GgazbpSs9331MPUeVVrdpkDCQmjtHSB4m -DThhfEe2lkbZ35ljX3sVSf3JDy4ngRot0ktQwnnY4vxFdgVUl7LzVinXWgFLoqMyXmKh_bGw9aUH -VMgqFsF_YmqLZY5ZARAraeywktvrU5kXYh5SnfXoJy7XIk0TBjHKqO-1mW-TcIgS3_v6GIGkZnpq -e1FyE8cS21gTPFlc1KDoWUZE2yoEsQKJc4RFWfjid_mE6nckxym1TOsEn3G2_TlkZvliN_QMDB_c -RuFLDB9HCChm4YYHpSn-RBqtJFz29bMTHQX8VNVfZ_Zhh-4dWOlEfpSzJvAqm_boo-8y8YDGIusx -mvKyPXEKVCuBOljHaKhYg0d43nAXIFsssKpjmtQizA2L_TP1Mo_lDFIlCsPcRlHKTvzkTstEAhRj -JnepzA--olBMwBkPxjm1Y5XQBGZH72i_o4Hr7_NqHb9sP486I2Nd1-owjHkhacGrLO1oORnuBUxp -_SnaXYywe9tTz3BcfFupXSoDv4Sj7g9B53yPIWmjGggigidql3SNJsui6qOtwDHOejzEDFm23Lj7 -fXD6sb52U_ul9ahi4CoLTzpvMsPRYOqyRCk8K8FVBauZbG5D42oaFPn0S0rCSHOCU1TXbRdTF-Cs -I2R0pEHNgb33yx6vtInaTSYIQ5cxa3XDA_50AQearV5SuYSlp8dK0BkpVCKgvSQdTn-2WiaV_hvO -KzG7D2adT1kYY6TjYMXIaUiJ33y1XSNDG0s6r4NG5dNE6Jj7thdpnV-AAZoi0uZh1_bsHKLVmHRr -NCXAc6DZm1D4N9y5lOJwUprUlJisZXLFTQThGMRY5dtiY_eK9Xjj4FQygXXhuhFXHz2-e4YApORv -lXDcT29IZuuI1j26bxdNdhNr1wZsqqievBN6l6OQMiP21eIrxAUu1BEmiVOrfOzaEjxldDN2gFum -4-zf9gsQT9UT8KEuOje64wVeHr09JpWuddV9HOAMvqc6mKTWmvUv_QiLgtK_b39QccMrOfOA1usM -biRJ9wuTYIr584Q9CjHEcm5e2YufcbF-IDZ4IDui8gNXyYJuusTYdspeKzrtiLKfgI56ZWA3it9G -SOkN18YyUmhk7HFkx9qEifb4UEbUQPb0dyXBRotf-91c5CPkct-36uV4sZBA_AR1tX3-aRKKB_SQ -B0zaG-eaEdEqKv-ZYHqk23ZxiEsCX3ZdY7VSMWztE3_D5n8UgEl4et5LVfnjvU-arVVO93WUbXk0 -zi2QrOwytOZ0StAvFdF1nVwWllPg4EYcn8qLJIaaBRvLMlpHixtwRhltwJeMmJl3ExImOxNhVbhF -6LxVXW6JK8JfMIwb_TE4EShDBjemq76BojQOwrO4OAyPG7B5iUtefdY-Zu1EtjXPhrUgljI_A1tg -5_2WNjNTCT7Bvig3saFsIRi3cvgIcMAF2H7kJYw3UDvCFnx4LIom2u6vSeyatPxEOhRfpP0KvgEU -koM9DFJW7VWQ11mB_DcU2NoYHdFKFy_cM62kIvoRwZTADGryEtkLSWEDT8MLpVrGXP2RjSZ3HHqC -vVpVqQHC2VIqNKi2uHtYCiTEfj81Z0rCrnH3hYIRoOSe5W6m17xyb0RloG0G44uK0oNCfDYLwK0L -TJaBdWSIBYI__ISsKx8o8r-3XLtbwQPPhv4-LpGwJYd7sIcqnpTYAyNGSrbEM4ECzHCH9Hwf9Duy -cAQGWqXIbTV9i8ryw8OhcCZPTf3noPZyhzzdegiv6KNT-BBbxsgtDehtP-jvpd9eAhjlfUV_hoFJ -rBUVMFrIOEDnnItVqBDmnavRdhn6N9ObVjVMv_4inhkvtpBCEVxtVQT2kFuBmZvPu_uHHbXi7_g8 -SVs3AjJ2ya3pZraK6gH3IOYoGtTAH3rKl7XdTMjqWnUCbhepuJqeEOF-DhpsEW7Oo0Lqzbjg \ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties deleted file mode 100644 index e1ddd326f9..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -##################################################################################### -############################## Portal Auth Properties ############################## -##################################################################################### - -############################## Auth ############################## -*/}} -username={{.Values.config.portalUsername}} -password={{.Values.config.portalPassword}} - -{{/* -############################## ############################## -# -# ONAP Cookie Processing - During initial development, this flag, if true, will -# prevent the portal interface's login processing from searching for a user -# specific cookie, and will instead allow passage if a valid session cookie is -# discovered. -*/}} -onap_enabled={{.Values.config.portalOnapEnabled}} -onap.user_id_cookie_name={{.Values.config.portalCookieName}} -cookie_decryptor_classname={{.Values.config.cookieDecryptorClass}} -app_roles={{.Values.config.portalAppRoles}} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index fee07d8acf..7c958fa410 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -27,29 +27,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/BOOT-INF/classes/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 31ea946d9b..f8813cdf69 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright (c) 2017 Amdocs, Bell Canada # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,9 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: {{ .Values.updateStrategy.type }} @@ -35,52 +30,14 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if ( include "common.needTLS" .) }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) - if [ -z "$KEYSTORE_PASSWORD" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - fi - echo "*** write them in portal part" - cd /config-input - for PFILE in `ls -1 .` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: portal-config-input - - mountPath: /config - name: portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name + - --service-name - aai env: - name: NAMESPACE @@ -91,6 +48,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -100,22 +64,9 @@ spec: args: - -c - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) echo "*** actual launch of AAI Sparky BE" /opt/app/sparky/bin/start.sh - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties - name: auth-config - subPath: csp-cookie-filter.properties - - mountPath: /opt/app/sparky/config/portal/ - name: portal-config - - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/ - name: portal-config-props + volumeMounts: - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/sparky/config/application.properties @@ -145,25 +96,22 @@ spec: - mountPath: /opt/app/sparky/config/logging/logback.xml name: config subPath: logback.xml - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPlainPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -176,32 +124,14 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }} - - name: portal-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: portal-config-input - {{- end }} - configMap: - name: {{ include "common.fullname" . }}-portal - - name: portal-config-props - configMap: - name: {{ include "common.fullname" . }}-portal-props - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir emptyDir: {} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml b/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml deleted file mode 100644 index d6013c832e..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 9e3ffd6f56..10d9e2a07d 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -14,24 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - port: {{ .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - {{- if eq .Values.service.type "NodePort" }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end }} - type: {{ .Values.service.type }} - selector: - app: {{ include "common.name" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 29953b4b66..0a9de51e54 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,40 +28,6 @@ global: # global defaults searchData: serviceName: aai-search-data - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-sparky-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "aai" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.aai" - fqi: "aai@aai.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing passwords into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - # application image image: onap/sparky-be:2.0.3 pullPolicy: Always @@ -78,7 +45,6 @@ config: portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui portalCookieName: UserId portalAppRoles: ui_view - cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor # ONAP Cookie Processing - During initial development, the following flag, if true, will @@ -87,11 +53,6 @@ config: portalOnapEnabled: true # -# override chart name (sparky-be) to share a common namespace -# suffix with parent chart (aai) -nsSuffix: aai - - # default number of instances replicaCount: 1 @@ -118,11 +79,12 @@ readiness: service: type: NodePort - portName: http - externalPort: 8000 - internalPort: 8000 - internalPlainPort: 9517 - nodePort: 20 + internalPort: 9517 + ports: + - name: http + port: 8000 + internal_port: 9517 + nodePort: 20 ingress: enabled: false @@ -133,23 +95,32 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "0.5" + memory: "4Gi" requests: - cpu: 0.25 - memory: 1Gi + cpu: "0.25" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "1" + memory: "8Gi" requests: - cpu: 0.5 - memory: 2Gi + cpu: "0.5" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index f5a6a923a6..8c77848368 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties deleted file mode 100644 index 2b19da9f6f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-traversal/resources/aaf/org.osaaf.location.props:/opt/app/aai-traversal/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index b46defa6b7..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,16 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright (c) 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -#cadi_key_password=enc:9xs_lJ9QQRDoMcHqLbGg40-gefGrw-sLMjWL40ejbyqdC7Jt_pQfY6ajBLGcbLuL -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-traversal/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index b9ec6b4641..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,23 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties deleted file mode 100644 index d4956f577c..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.traversal -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties index b8a2b5fe03..559166ba8e 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,16 +28,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{else}} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -44,13 +38,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index 3022b17f97..276dbfe6d7 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright � 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +29,7 @@ spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} +spring.profiles.active={{ .Values.global.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -43,23 +44,13 @@ server.local.startpath=aai-traversal/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -98,23 +89,16 @@ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions schema.service.custom.queries.endpoint=stored-queries -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} - -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +schema.service.client=no-auth #to expose the Prometheus scraping endpoint -management.port=8448 -management.endpoints.enabled-by-default=false -management.security.enabled=false -endpoints.enabled=false -endpoints.info.enabled=false -endpoints.prometheus.enabled=false -endpoints.health.enabled=false +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} management.metrics.web.server.auto-time-requests=false management.metrics.distribution.percentiles-histogram[http.server.requests]=true management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties index 836dc7b176..4835560665 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties @@ -90,7 +90,17 @@ log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} {{ end }} storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false + +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{ if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{ end }} + #load graphson file on startup load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml index 1d32a521a1..5e3a15c66a 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml @@ -21,35 +21,56 @@ --> */}} - - - - + + + + + - - - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - - - - - - - + + + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} + %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} + %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} + %i{X-AAI-SSL-Client-DN} %D - - + + + + + + + + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} + %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} + %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - + "logType": "access" + + + + + + /aai/util/echo + + NEUTRAL + DENY + + + + + {{/* - - - - -
- tokenAuthRealm - - org.onap.aaf.cadi.shiro.AAFRealm -
- - - -
- securityManager.realms - $tokenAuthRealm -
- - -
- authcBasic - org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter -
- - -
- accountingListener - org.opendaylight.aaa.shiro.filters.AuthenticationListener -
-
- securityManager.authenticator.authenticationListeners - $accountingListener -
- - -
- dynamicAuthorization - org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter -
- - - - - - - /auth/** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/aaa-cert-rpc** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/cluster-admin** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties deleted file mode 100644 index 24b10bcb89..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -*/}} -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=changeit -org.onap.ccsdk.sli.adaptors.aai.ssl.key=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.key.psswd=changeit - -org.onap.ccsdk.sli.adaptors.aai.client.name=appc@appc.onap.org -org.onap.ccsdk.sli.adaptors.aai.client.psswd=demo123456! - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -connection.timeout=60000 -read.timeout=60000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v14/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v14/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v14/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v14/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v14/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v14/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v14/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v14/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v14/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v14/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v14/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v14/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v14/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v14/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v14/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v14/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v14/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v14/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v14/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v14/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v14/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v14/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v14/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v14/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v14/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v14/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v14/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v14/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v14/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v14/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v14/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v14/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v14/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v14/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v14/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v14/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v14/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v14/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v14/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v14/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties deleted file mode 100644 index 3b7f02d6f7..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -### ### -### Properties for demo ### -### ### -appc.demo.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.demo.topic.read=APPC-CL -appc.demo.topic.write=APPC-CL -appc.demo.client.name=appcDemoEventListener -appc.demo.threads.queuesize.min=1 -appc.demo.threads.queuesize.max=1000 -appc.demo.threads.poolsize.min=1 -appc.demo.threads.poolsize.max=2 -appc.demo.provider.user={{.Values.config.odlUser}} -appc.demo.provider.pass={{.Values.config.odlPassword}} -appc.demo.provider.url=http://localhost:8181/restconf/operations/appc-provider -appc.provider.vfodl.url=http://{{.Values.config.odlUser|urlquery}}:{{.Values.config.odlPassword|urlquery}}@localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/NODE_NAME/yang-ext:mount/stream-count:stream-count/streams/ - -# The properties right below are needed to properly call the Master DG to serve demo purposes -appc.service.logic.module.name=APPC -appc.topology.dg.method=topology-operation-all -appc.topology.dg.version=2.0.0 - -# TEMP - Properties that might be needed to make the AAI-APPC connection -org.onap.appc.db.url.appcctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.appcdb.dbName}} -org.onap.appc.db.user.appcctl=${APPC_DB_USER} -org.onap.appc.db.pass.appcctl=${APPC_DB_PASSWD} - -org.onap.appc.db.url.sdnctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.appc.db.user.sdnctl=${SDNC_DB_USER} -org.onap.appc.db.pass.sdnctl=${SDNC_DB_PASSWD} - - -### ### -### OpenStack credentials (these properties also are used in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) ### -### ### -provider1.type={{.Values.config.openStackType}} -provider1.name={{.Values.config.openStackName}} -provider1.identity={{.Values.config.openStackKeyStoneUrl}} -provider1.tenant1.name={{.Values.config.openStackServiceTenantName}} -provider1.tenant1.domain={{.Values.config.openStackDomain}} -provider1.tenant1.userid={{.Values.config.openStackUserName}} -provider1.tenant1.password={{.Values.config.openStackEncryptedPassword}} - -### ### -### Properties that are not covered or being replaced from default.properties files. Default value for DMaaP IP is 10.0.11.1:3904 ### -### which is what the Master HEAT Template to instantiate OpenECOMP is pointing to (version R1). All other default values are ### -### left there since these are pre-defined as part of APP-C/OpenECOMP default instantiation with Master HEAT Template ### -### ### - - -# Property below is valid in appc-command-executor-core, appc-license-manager-core, appc-lifecycle-management-core, -# appc-request-handler-core, appc-workflow-management-core (all from the appc-dispatcher package). -dmaap.poolMembers=message-router.{{.Release.Namespace}}:3904 - - -# appc-event-listener-bundle properties (only defined in src/test of default.properties) -appc.LCM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.LCM.topic.read=APPC-LCM-READ -appc.LCM.topic.write=APPC-LCM-WRITE -appc.LCM.client.name=APPC-EVENT-LISTENER-TEST -appc.LCM.provider.user={{.Values.config.odlUser}} -appc.LCM.provider.pass={{.Values.config.odlPassword}} -appc.LCM.provider.url=http://localhost:8181/restconf/operations/appc-provider-lcm -appc.LCM.scopeOverlap.endpoint=http://localhost:8181/restconf/operations/interfaces-service:execute-service - -# properties from appc-netconf-adapter-bundle, appc-dg-common, appc-dmaap-adapter-bundle -poolMembers=message-router.{{.Release.Namespace}}:3904 -event.pool.members=message-router.{{.Release.Namespace}}:3904 -restconf.user={{.Values.config.odlUser}} -restconf.pass={{.Values.config.odlPassword}} - - -# properties found in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) -#Your OpenStack IP -test.ip=10.0.11.100 -# Your OpenStack Platform's Keystone Port (default is 5000) -test.port=5000 -test.tenantid=test -test.vmid=test -# Port 8774 below is default port for OpenStack's Nova API Service -test.url=http://api.appc.local/vm/9999999/test/99999999-9999-9999-9999-999999999999 -#skips hypervisor check which usually occurs during iaas-adapter-bundle startup -org.onap.appc.iaas.skiphypervisorcheck=true - -# Properties from default.properties in the src/test and src/main paths of appc-asdc-listener-bundle -appc.sdc.host=sdc-be.{{.Release.Namespace}}:8443 -appc.sdc.env=APPC-ASDC-ENV -appc.sdc.user=test -appc.sdc.pass=test -appc.sdc.consumer=APPC-ASDC-CONSUMER -appc.sdc.consumer.id=APPC-ASDC-CONSUMER-ID -appc.sdc.provider.url=http://localhost:8181/restconf/operations/AsdcMessage:configuration-document-request - -# Properties used by EventSenderDmaapImpl.java -DCAE.dmaap.event.topic.write=EventSenderTest -DCAE.dmaap.event.username=test -DCAE.dmaap.event.password=test -DCAE.dmaap.event.poolMembers=message-router.{{.Release.Namespace}}:3904 - -#OAM Listener -appc.OAM.disabled=true -appc.OAM.provider.url=http://localhost:8181/restconf/operations/appc-oam -appc.OAM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.OAM.service=ueb -appc.OAM.topic.read=testOAM -appc.OAM.topic.write=testOAM -appc.OAM.client.name=testOAM -appc.OAM.provider.user={{.Values.config.odlUser}} -appc.OAM.provider.pass={{.Values.config.odlPassword}} - -appc.asdc.env={{.Values.config.dmaapTopicEnv}} - -#Properties for communication between appc dmaap microservice and appc -appc.srvcomm.messaging.username={{.Values.config.dmaapServiceUser}} -appc.srvcomm.messaging.password={{.Values.config.dmaapServicePassword}} -appc.srvcomm.messaging.url={{.Values.config.dmaapServiceUrl}} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv deleted file mode 100644 index 24a3dff7e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv +++ /dev/null @@ -1,8 +0,0 @@ -# APPC HELM CHART APPC_RESTCONF_UI -> appc@appc.onap.org -Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# jolokiaall = demo@people.osaaf.org -Basic am9sb2tpYWFsbDpqb2xva2lhYWxs,Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# restall = aaf_admin@people.osaaf.org -Basic cmVzdGFsbDpyZXN0YWxs,Basic YWFmX2FkbWluQHBlb3BsZS5vc2FhZi5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 -# odlro = mmmanger@people.osaaf.org -Basic b2Rscm86b2Rscm8=,Basic bW1tYW5nZXJAcGVvcGxlLm9zYWFmLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties deleted file mode 100644 index 0592f8b06f..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties +++ /dev/null @@ -1,60 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -#hostname=localhost -*/}} - -cadi_loglevel=DEBUG -cadi_bath_convert=/opt/onap/appc/data/properties/bath_config.csv - -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US -cadi_keyfile=/opt/onap/appc/data/stores/org.onap.appc.keyfile -cadi_keystore=/opt/onap/appc/data/stores/org.onap.appc.p12 -cadi_keystore_password=enc:j5wAY4JjI6Gg8KbPRT3CK55kCaBZcrSq9XMe0vU2Hj3_TWfhln414p_og8-0u4EV -#cadi_key_password=enc: -cadi_alias=appc@appc.onap.org -cadi_truststore=/opt/onap/appc/data/stores/truststoreONAPall.jks -cadi_truststore_password=enc:9WJ6CRlrFmHiQrFlckhHybFXOwPW3tRetofp3AZ5nyt - -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties deleted file mode 100644 index 3c19fb44e3..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties deleted file mode 100644 index 95f672c2e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index b6fb2d88a9..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties deleted file mode 100644 index a6f7f50026..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh deleted file mode 100755 index 7257d186e6..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -{{/* - -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} - -SDNC_DB_USER=${SDNC_DB_USER} -SDNC_DB_PASSWD=${SDNC_DB_PASSWD} -SDNC_DB_DATABASE={{.Values.config.sdncdb.dbName}} - - -# Create tablespace and user account -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -CREATE DATABASE ${SDNC_DB_DATABASE}; -CREATE USER '${SDNC_DB_USER}'@'localhost' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -CREATE USER '${SDNC_DB_USER}'@'%' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'localhost' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'%' WITH GRANT OPTION; -commit; -END - -if [ -f ${SDNC_HOME}/data/odlsli.dump ] -then -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${SDNC_HOME}/data/odlsli.dump -fi diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties deleted file mode 100644 index fb56680a1d..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/openecomp/appc/data/stores/truststore.openecomp.client.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=adminadmin -org.onap.ccsdk.sli.adaptors.aai.host.certificate.ignore=true - -org.onap.ccsdk.sli.adaptors.aai.client.name=AAI -org.onap.ccsdk.sli.adaptors.aai.client.psswd=AAI - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -#connection.timeout=1000 -#read.timeout=2000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v11/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v11/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v11/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v11/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v11/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v11/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v11/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v11/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v11/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v11/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v11/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v11/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v11/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v11/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v11/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v11/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v11/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v11/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v11/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v11/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v11/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v11/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v11/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v11/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v11/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v11/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v11/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v11/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v11/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v11/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v11/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v11/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v11/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v11/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v11/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v11/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v11/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v11/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v11/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v11/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties deleted file mode 100644 index a46920f001..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties deleted file mode 100644 index a0df862636..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index d0e6c3ee71..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties deleted file mode 100644 index 5be5b8ddab..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile b/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile deleted file mode 100644 index b7dd5ff9e7..0000000000 --- a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile +++ /dev/null @@ -1,27 +0,0 @@ -EVYIj42lKzRyMicebf8OOUa9CVwvaKie3N7fTGeDT-GjiR6M6AHQCwBD9Bj95VxgVWOyXGAYy7eT -SSfnkVBgcdZWXlRL7HSUocs52DneRTGYcYGIBGz24O6EpmeZQyWluCKBcVCALKClPzqBNsHa2W06 -XwAccZzYPkDV-taGqF5kP10RiYvKe5YoZEQYBfauS3lDqf47AP-Dh1wLUIpvTSAUfBgDW9FBx9Ay -8Wy2geTuAXcPduBtTGIj3law-5ePDFRqwVVkXmSaEmEn34NvJ4z6Ww7VHqzqBxKAvLErV-KCEHEa -L3L1CCqNCXjUUa_D8CReDA-LPAG_v0yrjQxrdqzcYJ76Q0uIlNmEi_85AlAUXx6KGC03TqaGqICW -nNs4ouxM6U4ekiDi9qbFh7RlTEXw6bHhJPCq-G5ID-crWDHSarQ3IUR5qOmgIFIxpkPksBSGmUI4 -OIScgb2TtqG94EAZ3qu3PmzVlJrxbHYHVFlNLEecu7tGtiQJTLUHpJ0Z8O2GOc8bBz6o6NBT72Pv -i068VkLyUyrSNnVo9rNVFWAc3HREFi85KszBdk58kPTr2AQFH9iK2hmrXTdnPMjhmQgRh4xiAn4J -v5Gsb4DL2si3ZjD2E36Fy5XlPhyFFc8gdB6-v-Et1XJTU6mwV5DgKgg5o3WdHTuHZjYgWmcATZiQ -yLOQ6ZdjTF_004yOSkUzHbArOEmS6LIPTuLibvN6CY1Q0u_ucl5iaIbcwo_sVFisnVXQBHYXblBm -MgZZFg0n5ugL-bdUSdJtU7yIU5t79n0aMxnN84QhuREMSvCUioCrBD5c5H22iqbY7UCPO9Yy7lM- -aPVDRPwHAKEVjYqf4Z4k0Jthn7wqWS2iAKVOEi4R1oniAuuIcM9xoha0-LdRe8hWTV-qXDbtCVDz -h6Rw3dqtS5mCGBMC0TCrLJzG5n3Ed_4kGl5Emb3SXHWNqI_BuIalU4uot7seCv464E3QWQgAkv8w -wTk_IEWIFZhKJIcy5Brsw7Fz-XWQWkExEU3xKButC9hFXpdszF0y8CYUI6EPt2mPqaxB6zu3s4Bv -bKrVxFPX97mOeD8TpmxElmF0vpdhJ9Ee8clvBrGtLl1UIP6B80PrAPEZMLNhLV8S-ZJMKL5PTZh0 -_HNpj1EfiXnBz02cbes5Fuq9M8Dk7f16tP8prYzJ1JbnLTNHHcW4Z1quKrN8RIoYw3qzlXuYRm6Y -8rbuPlZ1wTllIxf00omnonJw8Fx9XzArv_UvqTvAYrv22YliUSl-lcFi8cOK58bmM5rBmkWoFObK -DsCMicfyPWhKf3DEwg1Y0j0qKppFqtKcSxnIbQ-VPRCrRv2yTjauEW6iNlq3RQKSJqFjUVmSUn2w -7tYQzeNv0tYgfRtHgSy_CA9q_ANJFFlxDtqtrFTsgrEH4jOlLs2_UN96RNUhVqSu95X5hEukI574 -kQBUMc5gGQvQ2_Xug15O_-cFfhtalI7NBZkGNNPY5K8h7xYZp2aAl-pNPwKHAmrOWAvFwy64A1NT -_RrZxrtVkj-k3f8Mv_p56yChUpujZ_ZDwLgYKWraqDxyEctpXyMMgjOYRy2CZ6oZfuAygrN5Gw4k -zMKBDkz_5LO_rYU2RUa2NRDLlh2Y47Gxt90IEw_i8y7nxn7K6y3nApI11tfsiiotYq8DLk6jYh07 -mJg-D8lb0q9JRYmnJcNkIQNVJ06bmJnaJQZ7GXUz9MF8_zuTdm4D8m_Ly2Ai4KFq_lw5CBVrLM5k -pfJveSw_6_uF5pda_EZoR4bBoWdrFvLNwob3lsdgiIYGTafQx2SFfQiiEB_CwpGuj4_Dv-TkUT2O -Ui2UWI9Gr-HxSITnvUR0UHStrDb5miXEr8E_Znwc4Db2juh30L57aEtl5N0TYwKI925qLNLHbFg0 -FKEvIt-o7HmvPY6UqajwAtIAdKpxWpWD-hl-eNVNsT4mVzdegIrM2wzzKIcLOvCEEvyWei_E8mIp -nqYw9LoFrQf3dCh8XeamqYkbPE00E8p1zXPNRow5iz9NQ-BNksp1e-ghqF_xr3L4eh7BkEu2 \ No newline at end of file diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 b/kubernetes/appc/resources/config/certs/org.onap.appc.p12 deleted file mode 100644 index 352c4f562a..0000000000 Binary files a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 and /dev/null differ diff --git a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml b/kubernetes/appc/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 98df709639..0000000000 --- a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,65 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - # The below commented properties are for time-based rolling policy. But as the log4j 1.2x does not support time-based rolling these properties are not set - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - #ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - #clean_inactive: 96h - - #Multiline properties for log4j xml log events - multiline.pattern: '' - multiline.negate: true - multiline.match: before - #multiline.max_lines: 500 - #multiline.timeout: 5s - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg b/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg deleted file mode 100644 index b74cc995fd..0000000000 --- a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg +++ /dev/null @@ -1,97 +0,0 @@ -{{/* -################################################################################ -# -# ============LICENSE_START======================================================= -# ONAP : APPC -# ================================================================================ -# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -################################################################################ -*/}} - -# Common pattern layout for appenders -log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n - -# Root logger -log4j2.rootLogger.level = INFO -# uncomment to use asynchronous loggers, which require mvn:com.lmax/disruptor/3.3.2 library -#log4j2.rootLogger.type = asyncRoot -#log4j2.rootLogger.includeLocation = false -log4j2.rootLogger.appenderRef.RollingFile.ref = RollingFile -log4j2.rootLogger.appenderRef.PaxOsgi.ref = PaxOsgi -log4j2.rootLogger.appenderRef.Console.ref = Console -log4j2.rootLogger.appenderRef.Console.filter.threshold.type = ThresholdFilter -log4j2.rootLogger.appenderRef.Console.filter.threshold.level = ${karaf.log.console:-OFF} - -# Loggers configuration - -# Spifly logger -log4j2.logger.spifly.name = org.apache.aries.spifly -log4j2.logger.spifly.level = WARN - -# Security audit logger -log4j2.logger.audit.name = org.apache.karaf.jaas.modules.audit -log4j2.logger.audit.level = INFO -log4j2.logger.audit.additivity = false -log4j2.logger.audit.appenderRef.AuditRollingFile.ref = AuditRollingFile - -# Appenders configuration - -# Console appender not used by default (see log4j2.rootLogger.appenderRefs) -log4j2.appender.console.type = Console -log4j2.appender.console.name = Console -log4j2.appender.console.layout.type = PatternLayout -log4j2.appender.console.layout.pattern = ${log4j2.pattern} - -# Rolling file appender -log4j2.appender.rolling.type = RollingRandomAccessFile -log4j2.appender.rolling.name = RollingFile -log4j2.appender.rolling.fileName = ${karaf.data}/log/karaf.log -log4j2.appender.rolling.filePattern = ${karaf.data}/log/karaf.log.%i -# uncomment to not force a disk flush -#log4j2.appender.rolling.immediateFlush = false -log4j2.appender.rolling.append = true -log4j2.appender.rolling.layout.type = PatternLayout -log4j2.appender.rolling.layout.pattern = ${log4j2.pattern} -log4j2.appender.rolling.policies.type = Policies -log4j2.appender.rolling.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.rolling.policies.size.size = 16MB - -# Audit file appender -log4j2.appender.audit.type = RollingRandomAccessFile -log4j2.appender.audit.name = AuditRollingFile -log4j2.appender.audit.fileName = ${karaf.data}/security/audit.log -log4j2.appender.audit.filePattern = ${karaf.data}/security/audit.log.%i -log4j2.appender.audit.append = true -log4j2.appender.audit.layout.type = PatternLayout -log4j2.appender.audit.layout.pattern = ${log4j2.pattern} -log4j2.appender.audit.policies.type = Policies -log4j2.appender.audit.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.audit.policies.size.size = 8MB - -# OSGi appender -log4j2.appender.osgi.type = PaxOsgi -log4j2.appender.osgi.name = PaxOsgi -log4j2.appender.osgi.filter = * - -# help with identification of maven-related problems with pax-url-aether -#log4j2.logger.aether.name = shaded.org.eclipse.aether -#log4j2.logger.aether.level = TRACE -#log4j2.logger.http-headers.name = shaded.org.apache.http.headers -#log4j2.logger.http-headers.level = DEBUG -#log4j2.logger.maven.name = org.ops4j.pax.url.mvn -#log4j2.logger.maven.level = TRACE - diff --git a/kubernetes/appc/templates/NOTES.txt b/kubernetes/appc/templates/NOTES.txt deleted file mode 100644 index 455b030b0a..0000000000 --- a/kubernetes/appc/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/appc/templates/configmap.yaml b/kubernetes/appc/templates/configmap.yaml deleted file mode 100644 index 6ebf0b1026..0000000000 --- a/kubernetes/appc/templates/configmap.yaml +++ /dev/null @@ -1,134 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-logging-cfg - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/appc/templates/ingress.yaml b/kubernetes/appc/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/appc/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/appc/templates/pv.yaml b/kubernetes/appc/templates/pv.yaml deleted file mode 100644 index 0df2dbf378..0000000000 --- a/kubernetes/appc/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i, $t := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/appc/templates/secrets.yaml b/kubernetes/appc/templates/secrets.yaml deleted file mode 100644 index 3cccd128eb..0000000000 --- a/kubernetes/appc/templates/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/appc/templates/service.yaml b/kubernetes/appc/templates/service.yaml deleted file mode 100644 index eb95ffc405..0000000000 --- a/kubernetes/appc/templates/service.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "appc", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1", - "path": "/" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: "{{ .Values.service.portName }}-8443" - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: "{{ .Values.service.portName }}-1830" - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: "{{ .Values.service.portName }}-9090" - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}-8443 - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}-1830 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}-9090 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-cluster - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - ports: - - name: "{{ .Values.service.portName }}-cluster-port" - port: {{ .Values.service.clusterPort }} - clusterIP: None - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None - type: ClusterIP diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml deleted file mode 100644 index d67e1687ba..0000000000 --- a/kubernetes/appc/templates/statefulset.yaml +++ /dev/null @@ -1,292 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: "{{ .Values.service.name }}-cluster" - replicas: {{ .Values.replicaCount }} - podManagementPolicy: Parallel - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" - env: - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 10 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 10 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 10 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/appc-data-properties - name: onap-appc-data-properties-input - - mountPath: /config-input/appc-svclogic-config - name: onap-appc-svclogic-config-input - - mountPath: /config-input/sdnc-data-properties - name: onap-sdnc-data-properties-input - - mountPath: /config-input/sdnc-svclogic-config - name: onap-sdnc-svclogic-config-input - - mountPath: /config/appc-data-properties - name: onap-appc-data-properties - - mountPath: /config/appc-svclogic-config - name: onap-appc-svclogic-config - - mountPath: /config/sdnc-data-properties - name: onap-sdnc-data-properties - - mountPath: /config/sdnc-svclogic-config - name: onap-sdnc-svclogic-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{.Values.config.mariadbGaleraContName}} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }}"] - volumeMounts: - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/appc/bin/startODL.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.externalPort2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 14 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 14 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: APPC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: DMAAP_TOPIC_ENV - value: "{{ .Values.config.dmaapTopic }}" - - name: ENABLE_AAF - value: "{{ .Values.config.enableAAF }}" - - name: ENABLE_ODL_CLUSTER - value: "{{ .Values.config.enableClustering }}" - - name: APPC_REPLICAS - value: "{{ .Values.replicaCount }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/onap/appc/data/properties/dblib.properties - name: onap-appc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/appc/data/properties/svclogic.properties - name: onap-appc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/appc/data/properties/appc.properties - name: onap-appc-data-properties - subPath: appc.properties - - mountPath: /opt/onap/appc/data/properties/aaiclient.properties - name: onap-appc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/appc/data/properties/cadi.properties - name: onap-appc-data-properties - subPath: cadi.properties - - mountPath: /opt/onap/appc/data/properties/aaa-app-config.xml - name: onap-appc-data-properties-input - subPath: aaa-app-config.xml - - mountPath: /opt/onap/appc/data/properties/bath_config.csv - name: onap-appc-data-properties - subPath: bath_config.csv - - mountPath: /opt/onap/appc/svclogic/config/svclogic.properties - name: onap-appc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/appc/svclogic/bin/showActiveGraphs.sh - name: onap-appc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/appc/bin/startODL.sh - name: onap-appc-bin - subPath: startODL.sh - - mountPath: /opt/onap/appc/bin/installAppcDb.sh - name: onap-appc-bin - subPath: installAppcDb.sh - - mountPath: /opt/onap/appc/bin/health_check.sh - name: onap-appc-bin - subPath: health_check.sh - - mountPath: /opt/onap/ccsdk/data/properties/dblib.properties - name: onap-sdnc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/ccsdk/data/properties/svclogic.properties - name: onap-sdnc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/data/properties/aaiclient.properties - name: onap-sdnc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/ccsdk/svclogic/config/svclogic.properties - name: onap-sdnc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh - name: onap-sdnc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/ccsdk/bin/installSdncDb.sh - name: onap-sdnc-bin - subPath: installSdncDb.sh - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.log.path }} - name: logs - - mountPath: /opt/onap/appc/data/org.ops4j.pax.logging.cfg - name: log-config - subPath: org.ops4j.pax.logging.cfg - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.p12 - name: p12-certs - subPath: org.onap.appc.p12 - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.keyfile - name: keyfile-certs - subPath: org.onap.appc.keyfile - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: keyfile-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: p12-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: localtime - hostPath: - path: /etc/localtime - - name: log-config - configMap: - name: {{ include "common.fullname" . }}-logging-cfg - - name: logs - emptyDir: {} - {{ include "common.log.volumes" . | nindent 8 }} - - name: onap-appc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - - name: onap-appc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - - name: onap-appc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - defaultMode: 0755 - - name: onap-appc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-bin - defaultMode: 0755 - - name: onap-sdnc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - - name: onap-sdnc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - - name: onap-sdnc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - defaultMode: 0755 - - name: onap-sdnc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - defaultMode: 0755 - - name: onap-appc-data-properties - emptyDir: - medium: Memory - - name: onap-appc-svclogic-config - emptyDir: - medium: Memory - - name: onap-sdnc-data-properties - emptyDir: - medium: Memory - - name: onap-sdnc-svclogic-config - emptyDir: - medium: Memory -{{ if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - emptyDir: {} -{{ else }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{ end }} diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml deleted file mode 100644 index d224030db3..0000000000 --- a/kubernetes/appc/values.yaml +++ /dev/null @@ -1,371 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - centralizedLoggingEnabled: false - persistence: - mountPath: /dockerdata-nfs - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: "db-root-pass" - name: '{{ include "common.release" . }}-appc-db-root-pass' - externalSecret: '{{ .Values.config.dbRootPassExternalSecret }}' - type: password - password: '{{ .Values.config.dbRootPass }}' - - uid: 'appcdb-user-creds' - name: '{{ include "common.release" . }}-appcdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.appcdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.appcdb.userName }}' - password: '{{ .Values.config.appcdb.password }}' - - uid: 'sdncdb-user-creds' - name: '{{ include "common.release" . }}-sdncdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.sdncdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.sdncdb.userName }}' - password: '{{ .Values.config.sdncdb.password }}' - - -################################################################# -# Application configuration defaults. -################################################################# -flavor: small -# application image -image: onap/appc-image:1.7.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap - -# application configuration -config: -# dbRootPassExternalSecret: some secret -# dbRootPass: password - appcdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: appcctl - userName: appcctl - # password: appcctl - # userCredsExternalSecret: some secret - sdncdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: sdnctl - userName: sdnctl - # password: gamma - # userCredsExternalSecret: some secret - odlUid: 100 - odlGid: 101 - ansibleServiceName: appc-ansible-server - ansiblePort: 8000 - mariadbGaleraSVCName: &appc-db appc-db - mariadbGaleraContName: *appc-db - enableAAF: true - enableClustering: false - configDir: /opt/onap/appc/data/properties - dmaapTopic: SUCCESS - dmaapTopicEnv: AUTO - logstashServiceName: log-ls - logstashPort: 5044 - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: enc:LDEbHEAvTF1R - odlUser: admin - dmaapServiceUrl: http://localhost:8080/publish - dmaapServiceUser: appc - dmaapServicePassword: onapappc - -appc-ansible-server: - enabled: true - service: - name: appc-ansible-server - internalPort: 8000 - config: - mysqlServiceName: *appc-db - -appc-cdt: - enabled: true - -mariadb-galera: - nameOverride: *appc-db - rootUser: - externalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - service: - name: *appc-db - nfsprovisionerPrefix: appc - sdnctlPrefix: appc - persistence: - mountSubPath: appc/data - enabled: true - disableNfsProvisioner: true - serviceAccount: - nameOverride: *appc-db - replicaCount: 1 - - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - binlog_format=row - default_storage_engine=InnoDB - innodb_autoinc_lock_mode=2 - transaction-isolation=READ-COMMITTED - wsrep_causal_reads=1 - wsrep_sync_wait=7 - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - -dgbuilder: - nameOverride: appc-dgbuilder - certInitializer: - nameOverride: appc-dgbuilder-cert-initializer - config: - db: - rootPasswordExternalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - userCredentialsExternalSecret: '{{ include "common.release" . }}-sdncdb-user-creds' - dbPodName: *appc-db - dbServiceName: *appc-db - service: - name: appc-dgbuilder - serviceAccount: - nameOverride: appc-dgbuilder - ingress: - enabled: false - service: - - baseaddr: "appc-dgbuilder" - name: "appc-dgbuilder" - port: 3000 - config: - ssl: "redirect" - -#passing value to cdt chart. value of nodePort3 will be same as appc.service.nodePort3. -appc-cdt: - nodePort3: 11 -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 60 - -service: - type: NodePort - name: appc - portName: appc - - internalPort: 8443 - externalPort: 8443 - nodePort: 30 - - externalPort2: 1830 - nodePort2: 31 - clusterPort: 2550 - - internalPort3: 9191 - externalPort3: 9090 - nodePort3: 11 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: appc/mdsal - mdsalPath: /opt/opendaylight/current/daexim - -ingress: - enabled: false - service: - - baseaddr: "appc-api" - name: "appc" - port: 8443 - plain_port: 1830 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index 578899f198..d8b6cc7de0 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,32 +17,33 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 12.0.0 +version: 13.0.2 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: cds-blueprints-processor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-blueprints-processor' condition: cds-blueprints-processor.enabled - name: cds-command-executor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-command-executor' condition: cds-command-executor.enabled - name: cds-py-executor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-py-executor' condition: cds-py-executor.enabled - name: cds-sdc-listener - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-sdc-listener' condition: cds-sdc-listener.enabled - name: cds-ui - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-ui' condition: cds-ui.enabled diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index 3ef9519d55..e4fc011880 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP CDS Blueprints Processor name: cds-blueprints-processor -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer b/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index 2818fd99b4..b99bae7197 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2023 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -101,11 +101,7 @@ blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoG # AAI Data REST Client settings blueprintsprocessor.restclient.aai-data.type=basic-auth -{{ if ( include "common.needTLS" .) }} -blueprintsprocessor.restclient.aai-data.url=https://{{ .Values.global.aaiData.ServiceName }}:8443 -{{- else -}} blueprintsprocessor.restclient.aai-data.url=http://{{ .Values.global.aaiData.ServiceName }}:{{ .Values.global.aaiData.ExternalPlainPort }} -{{- end }} blueprintsprocessor.restclient.aai-data.username=aai@aai.onap.org blueprintsprocessor.restclient.aai-data.password=demo123456! blueprintsprocessor.restclient.aai-data.additionalHeaders.X-TransactionId=cds-transaction-id @@ -121,70 +117,44 @@ blueprintsprocessor.restclient.cps-data.additionalHeaders.Accept=application/jso blueprintsprocessor.restclient.cps-data.additionalHeaders.Content-Type=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} -blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=true +blueprintsprocessor.messageconsumer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- with (first .Values.kafkaUser.acls) }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .name }} {{- end }} -blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} -blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} -blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageconsumer.self-service-api.topic=cds.blueprint-processor.self-service-api.request +blueprintsprocessor.messageconsumer.self-service-api.clientId=request-receiver-client-id +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${SASL_JAAS_PASS} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} -blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.clientId=request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.topic=cds.blueprint-processor.self-service-api.response +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${SASL_JAAS_PASS} # AUDIT KAFKA FEATURE CONFIGURATION # Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. ## Audit request -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=true +blueprintsprocessor.messageproducer.self-service-api.audit.request.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId=audit-request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic=cds.blueprint-processor.self-service-api.audit.request +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${SASL_JAAS_PASS} ## Audit response -blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId=audit-response-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic=cds.blueprint-processor.self-service-api.audit.response +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${SASL_JAAS_PASS} # Executor Options blueprintsprocessor.resourceResolution.enabled=true @@ -225,3 +195,14 @@ blueprintprocessor.k8s.plugin.url=http://multicloud-k8s:9015/ #Workflow audit store configuration blueprintsprocessor.workflow.self-service-api.audit.storeEnable={{ .Values.workflow.storeEnabled }} + +#Tracing +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.zipkin.checkTimeout=5000 +spring.zipkin.service.name={{ include "common.name" . }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml deleted file mode 100644 index 555f4d4e60..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestConsumer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestProducer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditRequest.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditResponse.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml deleted file mode 100644 index 65ee1d2a96..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.kafkaRequestConsumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestConsumer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestProducer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditRequest.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditResponse.topic }} - operation: All -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index 1e4f5e10a0..c00d12fe74 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,38 +18,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: RollingUpdate rollingUpdate: - # This allow a new pod to be ready before terminating the old one + # This allows a new pod to be ready before terminating the old one # causing no downtime when replicas is set to 1 maxUnavailable: 0 - # maxSurge to 1 is very important for the hazelcast integration # we only want one pod at a time to restart not multiple # and break the hazelcast cluster. We should not use % maxSurge value # ref : https://hazelcast.com/blog/rolling-upgrade-hazelcast-imdg-on-kubernetes/ maxSurge: 1 template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +62,6 @@ spec: name: {{ include "common.name" . }}-update-config - command: - - /app/ready.py - args: - - --container-name - - cds-db - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - name: fix-permission - command: - chown - -R - 1000:1000 @@ -99,6 +71,8 @@ spec: volumeMounts: - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints + name: fix-permission + containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -110,8 +84,6 @@ spec: value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} - - name: AAF_CREDSPATH - value: {{ .Values.certInitializer.credsPath }} - name: CLUSTER_NODE_ID valueFrom: fieldRef: @@ -122,10 +94,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 12 }} - name: CPS_PASS_PLAIN {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 12 }} - {{ if .Values.useStrimziKafka }} - - name: JAAS_PASS - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} - {{ end }} + - name: SASL_JAAS_PASS + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: password ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} @@ -133,7 +106,7 @@ spec: startupProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.startup.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -146,7 +119,7 @@ spec: livenessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.liveness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -157,17 +130,14 @@ spec: readinessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.readiness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: {{ .Values.config.appConfigDir }}/application.properties name: processed-config subPath: application.properties @@ -180,15 +150,9 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/hazelcast.yaml name: {{ include "common.fullname" . }}-config subPath: hazelcast.yaml - - - mountPath: {{ .Values.config.appConfigDir }}/ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-config - subPath: ONAP_RootCA.cer - - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -198,10 +162,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -214,13 +175,10 @@ spec: path: logback.xml - key: hazelcast.yaml path: hazelcast.yaml - - key: ONAP_RootCA.cer - path: ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - name: processed-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml index 153740c553..a841811dd1 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada +# Modification Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,19 +25,15 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.http.type }} ports: - port: {{ .Values.service.http.externalPort }} targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.http.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.http.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.http.portName | default "http" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -48,7 +45,6 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.grpc.type }} ports: @@ -56,8 +52,8 @@ spec: targetPort: {{ .Values.service.grpc.internalPort }} name: {{ .Values.service.grpc.portName | default "grpc" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -69,16 +65,13 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.cluster.type }} + clusterIP: None ports: - port: {{ .Values.service.cluster.externalPort }} targetPort: {{ .Values.service.cluster.internalPort }} - {{- if eq .Values.service.cluster.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.cluster.nodePort }} - {{- end}} name: {{ .Values.service.cluster.portName | default "cluster" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 87a1b03ada..b0812f26b8 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,20 +18,24 @@ # Global configuration defaults. ################################################################# global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefixExt: 304 - + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera # image pull policy pullPolicy: Always - persistence: mountPath: /dockerdata-nfs - # This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - # This concerns CDS/AAI communication through HTTP when TLS is not being needed # Port value should match the one in aai/values.yml : service.externalPlainPort aaiData: @@ -39,9 +43,6 @@ global: ServiceName: aai # domain # http://aai:80 or https://aai:443 - #AAF is enabled by default - #aafEnabled: true - #enable importCustomCerts to add custom CA to blueprint processor pod #importCustomCertsEnabled: true @@ -65,13 +66,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required - - uid: cds-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: password - value: '{{ .Values.config.someConfig }}' - policy: generate - uid: cps-creds type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.cps.cpsUserExternalSecret) . }}' @@ -79,36 +73,11 @@ secrets: password: '{{ .Values.config.cps.cpsPassword }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-blueprints-processor-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - #enable below if we need custom CA to be added to blueprint processor pod - #importCustomCertsEnabled: true - #truststoreMountpath: /opt/onap/cds - #truststoreOutputFileName: truststoreONAPall.jks - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.4.1 +image: onap/ccsdk-blueprintsprocessor:1.5.3 pullPolicy: Always # flag to enable debugging - application support required @@ -132,7 +101,6 @@ config: # dbCredsExternalSecret: # dbRootPassword: password # dbRootPassExternalSecret - someConfig: blah cps: cpsUsername: '' cpsPassword: '' @@ -145,46 +113,52 @@ nodeSelector: {} affinity: {} -# If useStrimziKafka is true, the following also applies: -# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. -# The connection type must be kafka-scram-plain-text-auth -# The bootstrapServers will target the strimzi kafka cluster by default -useStrimziKafka: false -cdsKafkaUser: cds-kafka-user +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: cds-bp-processor + type: group + operations: [Read] + - name: cds.blueprint-processor + type: topic + patternType: prefix + operations: [Read, Write] +# Strimzi KafkaTopic config +kafkaTopic: + - name: cds.blueprint-processor.self-service-api.request + - name: cds.blueprint-processor.self-service-api.response + - name: cds.blueprint-processor.self-service-api.audit.request + - name: cds.blueprint-processor.self-service-api.audit.response + + +containerHttpPort: &svc_http_port 8080 +containerGrpcPort: &svc_grpc_port 9111 +containerTcpPort: &svc_tcp_port 5701 -kafkaRequestConsumer: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - groupId: cds-consumer - topic: cds.blueprint-processor.self-service-api.request - clientId: request-receiver-client-id - pollMillSec: 1000 -kafkaRequestProducer: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: request-producer-client-id - topic: cds.blueprint-processor.self-service-api.response - enableIdempotence: false -kafkaAuditRequest: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-request-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.request - enableIdempotence: false -kafkaAuditResponse: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-response-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.response - enableIdempotence: false +service: + http: + type: ClusterIP + portName: http + internalPort: *svc_http_port + externalPort: *svc_http_port + grpc: + type: ClusterIP + portName: grpc + internalPort: *svc_grpc_port + externalPort: *svc_grpc_port + cluster: + type: ClusterIP + portName: tcp-cluster + internalPort: *svc_tcp_port + externalPort: *svc_tcp_port + port: *svc_http_port # probe configuration parameters startup: initialDelaySeconds: 10 failureThreshold: 30 periodSeconds: 10 + port: *svc_http_port liveness: initialDelaySeconds: 1 @@ -193,28 +167,13 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: false + port: *svc_http_port readiness: initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 20 - -service: - http: - type: ClusterIP - portName: http - internalPort: 8080 - externalPort: 8080 - grpc: - type: ClusterIP - portName: grpc - internalPort: 9111 - externalPort: 9111 - cluster: - type: ClusterIP - portName: tcp-cluster - internalPort: 5701 - externalPort: 5701 + port: *svc_http_port persistence: volumeReclaimPolicy: Retain @@ -227,9 +186,7 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 enabled: false - clusterName: cds-cluster - # Defines the number of node to be part of the CP subsystem/raft algorithm. This value should be # between 3 and 7 only. groupSize: 3 @@ -257,20 +214,25 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.8Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "1.8Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "3.6Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "3.6Gi" unlimited: {} +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mariadbGalera.service }}' + #Pods Service Account serviceAccount: nameOverride: cds-blueprints-processor @@ -280,3 +242,11 @@ serviceAccount: # workflow store flag workflow: storeEnabled: false + +tracing: + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - .*/execution-service/health-check diff --git a/kubernetes/cds/components/cds-command-executor/Chart.yaml b/kubernetes/cds/components/cds-command-executor/Chart.yaml index d89615984a..eaa1e8de9e 100755 --- a/kubernetes/cds/components/cds-command-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-command-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Command Executor name: cds-command-executor -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml index da835162e7..07736cfa1e 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml @@ -16,31 +16,19 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - - --container-name - - cds-blueprints-processor + - --service-name + - cds-blueprints-processor-http env: - name: NAMESPACE valueFrom: @@ -51,39 +39,41 @@ spec: - name: PROMETHEUS_METRICS_ENABLED value: {{ .Values.metrics.serviceMonitor.enabled | quote }} - name: PROMETHEUS_PORT - value: {{ .Values.service.metrics.internalPort | quote }} + value: {{ .Values.metrics.serviceMonitor.internalPort | quote }} {{ end }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.grpc.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -94,9 +84,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-blueprints {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -104,5 +91,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-command-executor/templates/service.yaml b/kubernetes/cds/components/cds-command-executor/templates/service.yaml index 7540728ee9..c131358663 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/service.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (C) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,34 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.grpc.externalPort }} - targetPort: {{ .Values.service.grpc.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.grpc.portName | default "grpc" }} - {{- if .Values.metrics.serviceMonitor.enabled }} - - port: {{ .Values.service.metrics.externalPort }} - targetPort: {{ .Values.service.metrics.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.metrics.portName | default "metrics" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index 75a9915399..e517d8bdbf 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -32,7 +32,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-commandexecutor:1.4.1 +image: onap/ccsdk-commandexecutor:1.5.3 pullPolicy: Always # application configuration @@ -62,14 +62,13 @@ readiness: service: type: ClusterIP - grpc: - portName: grpc - internalPort: 50051 - externalPort: 50051 - metrics: - portName: tcp-metrics - internalPort: 10005 - externalPort: 10005 + name: cds-command-executor + internalPort: 50051 + ports: + - name: grpc + port: 50051 + - name: &metricsPortname tcp-metrics + port: &metricsPort 10005 persistence: enabled: false @@ -82,18 +81,18 @@ ingress: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account @@ -105,7 +104,8 @@ serviceAccount: metrics: serviceMonitor: enabled: false - port: tcp-metrics + port: *metricsPortname + internalPort: *metricsPort path: /actuator/prometheus basicAuth: enabled: false diff --git a/kubernetes/cds/components/cds-py-executor/Chart.yaml b/kubernetes/cds/components/cds-py-executor/Chart.yaml index 7fb96f9807..ea1723c31c 100755 --- a/kubernetes/cds/components/cds-py-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-py-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Py Executor name: cds-py-executor -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml index 754e0d0f50..1376eb7b37 100755 --- a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml @@ -63,9 +63,6 @@ spec: - name: ARTIFACT_MANAGER_SERVER_LOG_FILE value: {{ .Values.config.artifactManagerLogFile }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints resources: @@ -80,14 +77,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime # Py executor shares the blueprintsprocessor storage (for now) to # share uploaded CBA files. In the future it will be deprecated # when all parts of the CDS will make use of Artifact Manager - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-py-executor/values.yaml b/kubernetes/cds/components/cds-py-executor/values.yaml index 96056294e5..f3d712e7c1 100755 --- a/kubernetes/cds/components/cds-py-executor/values.yaml +++ b/kubernetes/cds/components/cds-py-executor/values.yaml @@ -30,7 +30,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-py-executor:1.4.1 +image: onap/ccsdk-py-executor:1.5.3 pullPolicy: Always # default number of instances @@ -97,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml index 39d0e6c1c3..dc5fef287a 100755 --- a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS SDC listener microservice name: cds-sdc-listener -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml index 3710f5f510..fe4edc7779 100644 --- a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml @@ -1,20 +1,19 @@ listenerservice: config: - asdcAddress: sdc-be.{{include "common.namespace" .}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }} #SDC-BE + sdcAddress: sdc-be.{{include "common.namespace" .}}:8080 #SDC-BE messageBusAddress: message-router.{{include "common.namespace" .}} #Message-Router user: cds #SDC-username password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U #SDC-password pollingInterval: 15 pollingTimeout: 60 relevantArtifactTypes: TOSCA_CSAR - consumerGroup: cds + consumerGroup: {{ (first .Values.kafkaUser.acls).name }} + consumerId: {{ (first .Values.kafkaUser.acls).name }}-sdc-listener environmentName: AUTO - consumerId: cds keyStorePassword: keyStorePath: activateServerTLSAuth : false - isUseHttpsWithDmaap: false - isUseHttpsWithSDC: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + isUseHttpsWithSDC: false archivePath: /opt/app/onap/sdc-listener/ grpcAddress: cds-blueprints-processor-grpc grpcPort: 9111 diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml index 3a6d76165b..6922b24c8e 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,38 +14,23 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - - --container-name + - --service-name - sdc-be - - --container-name - - message-router - - --container-name - - cds-blueprints-processor + - --service-name + - cds-blueprints-processor-http env: - name: NAMESPACE valueFrom: @@ -54,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -61,21 +54,24 @@ spec: env: - name: APP_CONFIG_HOME value: {{ .Values.config.appConfigDir }} - ports: - - containerPort: {{ .Values.service.http.internalPort }} - name: {{ .Values.service.http.portName }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + ports: {{- include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{end}} readinessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: @@ -85,8 +81,7 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -105,5 +100,4 @@ spec: path: application.yaml - key: logback.xml path: logback.xml - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml index 42bd2b33e9..e62653fff2 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,25 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.http.externalPort }} - targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-sdc-listener/values.yaml b/kubernetes/cds/components/cds-sdc-listener/values.yaml index 9ceeec8081..4658b578bf 100644 --- a/kubernetes/cds/components/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/values.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,14 +30,23 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-sdclistener:1.4.1 +image: onap/ccsdk-sdclistener:1.5.3 name: sdc-listener pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +kafkaUser: + acls: + - name: cds + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + config: appConfigDir: /opt/app/onap/config @@ -61,10 +71,11 @@ readiness: service: type: ClusterIP - http: - portName: http - internalPort: 8080 - externalPort: 8080 + name: cds-sdc-listener + internalPort: 8080 + ports: + - name: http + port: 8080 persistence: enabled: true @@ -86,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "700Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "700Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "1.4Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/components/cds-ui/Chart.yaml b/kubernetes/cds/components/cds-ui/Chart.yaml index 2bf7c584e0..51485b76e1 100644 --- a/kubernetes/cds/components/cds-ui/Chart.yaml +++ b/kubernetes/cds/components/cds-ui/Chart.yaml @@ -17,18 +17,15 @@ apiVersion: v2 description: ONAP CDS UI name: cds-ui -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-ui/templates/deployment.yaml b/kubernetes/cds/components/cds-ui/templates/deployment.yaml index 6457ce3736..a58f1d9e29 100644 --- a/kubernetes/cds/components/cds-ui/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-ui/templates/deployment.yaml @@ -17,35 +17,18 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.fullname" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{- include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -58,6 +41,8 @@ spec: env: - name: HOST value: 0.0.0.0 + - name: PROTOCOL + value: "{{ .Values.config.env.protocol }}" - name: APP_ACTION_DEPLOY_BLUEPRINT_GRPC_ENABLED value: "{{ .Values.config.app.action.deployBlueprint.grpcEnabled }}" - name: API_BLUEPRINT_CONTROLLER_HTTP_BASE_URL @@ -74,23 +59,12 @@ spec: value: "{{ .Values.config.api.processor.grpc.port }}" - name: API_BLUEPRINT_PROCESSOR_GRPC_AUTH_TOKEN value: {{ .Values.config.api.processor.grpc.authToken }} - {{- if .Values.global.aafEnabled }} - - name: KEYSTORE - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12" - - name: PASSPHRASE - value: "{{ .Values.certInitializer.credsPath }}/mycreds.prop" - {{- end }} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -100,9 +74,4 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-ui/templates/service.yaml b/kubernetes/cds/components/cds-ui/templates/service.yaml index bfc3e30c84..e62653fff2 100644 --- a/kubernetes/cds/components/cds-ui/templates/service.yaml +++ b/kubernetes/cds/components/cds-ui/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2017 Amdocs, Bell Canada, Orange +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,28 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}-{{ .Values.service.internalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-ui/values.yaml b/kubernetes/cds/components/cds-ui/values.yaml index 204e1cc611..7a25bea4c7 100644 --- a/kubernetes/cds/components/cds-ui/values.yaml +++ b/kubernetes/cds/components/cds-ui/values.yaml @@ -22,33 +22,14 @@ global: subChartsOnly: enabled: true -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - # application image -image: onap/ccsdk-cds-ui-server:1.4.1 +image: onap/ccsdk-cds-ui-server:1.5.3 pullPolicy: Always # application configuration config: + env: + protocol: HTTP app: action: deployBlueprint: @@ -94,10 +75,13 @@ readiness: service: type: NodePort - portName: cds-ui name: cds-ui - nodePort: 97 internalPort: 3000 + ports: + - name: http + port: 3000 + nodePort: 97 + useNodePortExt: true ingress: enabled: false @@ -114,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 10m - memory: 100Mi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "200Mi" requests: - cpu: 200m - memory: 200Mi + cpu: "1" + memory: "200Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 58e6b65c6f..ced4f1d930 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,20 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - cdsKafkaUser: cds-kafka-user + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + ################################################################# # Secrets metaconfig @@ -42,7 +55,6 @@ secrets: # application images pullPolicy: Always - subChartsOnly: enabled: true @@ -80,132 +92,15 @@ mariadb-galera: name: &mysqlDbName sdnctl nameOverride: &dbServer cds-db replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: cds/data serviceAccount: nameOverride: *dbServer - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - cds-blueprints-processor: enabled: true config: @@ -214,7 +109,6 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true @@ -228,24 +122,22 @@ cds-sdc-listener: cds-ui: enabled: true - #Resource Limit flavor -By Default using small flavor: small -#segregation for different envionment (Small and Large) - +#segregation for different environment (Small and Large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} diff --git a/kubernetes/cli/Chart.yaml b/kubernetes/cli/Chart.yaml index 16885d96a3..956a923e0d 100644 --- a/kubernetes/cli/Chart.yaml +++ b/kubernetes/cli/Chart.yaml @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP Command Line Interface name: cli -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cli/resources/configuration/lighttpd.conf b/kubernetes/cli/resources/configuration/lighttpd.conf index 0809868b35..f1735a1e5d 100644 --- a/kubernetes/cli/resources/configuration/lighttpd.conf +++ b/kubernetes/cli/resources/configuration/lighttpd.conf @@ -1,6 +1,7 @@ {{/* # Copyright 2018 Huawei Technologies Co., Ltd. # Copyright 2021 Huawei Technologies Co., Ltd. +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,9 +19,7 @@ server.document-root = "/var/www-data/servers/open-cli/" server.username = "www-data" server.groupname = "www-data" -server.port = 443 -ssl.engine = "enable" -ssl.pemfile = "{{ .Values.certInitializer.credsPath }}/certs/fullchain.pem" +server.port = {{ .Values.containerPort }} mimetype.assign = ( ".html" => "text/html", @@ -38,18 +37,8 @@ server.modules = ( "mod_proxy", "mod_alias", "mod_compress", - "mod_redirect", -# "mod_rewrite", + "mod_redirect" ) -#server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" -#compress.cache-dir = "/var/cache/lighttpd/compress/" -#compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) - -# default listening port for IPv6 falls back to the IPv4 port -## Use ipv6 if available -#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -#include_shell "/usr/share/lighttpd/create-mime.assign.pl" -#include_shell "/usr/share/lighttpd/include-conf-enabled.pl" \ No newline at end of file diff --git a/kubernetes/cli/templates/NOTES.txt b/kubernetes/cli/templates/NOTES.txt deleted file mode 100644 index f3fe9c9d55..0000000000 --- a/kubernetes/cli/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/cli/templates/configmap.yaml b/kubernetes/cli/templates/configmap.yaml index ae515a0ec5..a4c636f0e4 100644 --- a/kubernetes/cli/templates/configmap.yaml +++ b/kubernetes/cli/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,13 +17,6 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-lighttpd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: -{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} \ No newline at end of file +{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} diff --git a/kubernetes/cli/templates/deployment.yaml b/kubernetes/cli/templates/deployment.yaml index 0a3f967eee..9f8d71c332 100644 --- a/kubernetes/cli/templates/deployment.yaml +++ b/kubernetes/cli/templates/deployment.yaml @@ -16,57 +16,41 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort1 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - name: lighttpd - mountPath: "/etc/lighttpd/lighttpd.conf" + mountPath: /etc/lighttpd/lighttpd.conf subPath: lighttpd.conf readOnly: true env: - name: OPEN_CLI_MODE value: "{{ .Values.config.climode }}" - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -76,9 +60,8 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: lighttpd configMap: - name: {{ include "common.fullname" . }}-lighttpd - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + name: {{ include "common.fullname" . }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cli/templates/ingress.yaml b/kubernetes/cli/templates/ingress.yaml index 8f87c68f1e..0deb6ce481 100644 --- a/kubernetes/cli/templates/ingress.yaml +++ b/kubernetes/cli/templates/ingress.yaml @@ -1 +1,16 @@ +{{/* +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} {{ include "common.ingress" . }} diff --git a/kubernetes/cli/templates/service.yaml b/kubernetes/cli/templates/service.yaml index eaa85086b3..b33db211f9 100644 --- a/kubernetes/cli/templates/service.yaml +++ b/kubernetes/cli/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,36 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml index db36661383..8ad2240ee4 100644 --- a/kubernetes/cli/values.yaml +++ b/kubernetes/cli/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,63 +17,45 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: cli-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "cli" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.cli" - fqi: "cli@cli.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - cat {{ .Values.credsPath }}/certs/fullchain.pem - echo "*** change ownership of certificates to targeted user" - chown -R 33 {{ .Values.credsPath }} - - + persistence: {} ################################################################# # Application configuration defaults. ################################################################# # application image image: onap/cli:6.0.1 -pullPolicy: Always +pullPolicy: IfNotPresent + +# flag to enable debugging - application support required +debugEnabled: false + +nodeSelector: {} +affinity: {} + +# Resource Limit flavor -By Default using small flavor: small +# default number of instances +replicaCount: 1 # application configuration config: climode: daemon -# default number of instances -replicaCount: 1 - -nodeSelector: {} +containerPort: &svc_port 8080 +service: + type: ClusterIP + name: cli + ports: + - name: http + port: *svc_port + targetPort: *svc_port -affinity: {} +ingress: + enabled: true + service: + - baseaddr: "cli-api" + path: "/" + name: "cps" + port: *svc_port # probe configuration parameters liveness: @@ -81,50 +64,33 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: *svc_port + path: / readiness: initialDelaySeconds: 10 periodSeconds: 10 + port: *svc_port + path: / -service: - type: NodePort - name: cli - externalPort: 443 - externalPort1: 9443 - internalPort: "443" - internalPort1: 9443 - nodePort: "60" - nodePort1: "71" - -ingress: - enabled: false - service: - - baseaddr: "cli-api" - name: "cli" - port: 443 - - baseaddr: "cli2-api" - name: cli - port: 9443 - config: - ssl: "redirect" # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index a884d1a329..2fce88fe84 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -20,8 +20,8 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets COMMON_CHARTS_DIR := common EXCLUDES := -PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer cmpv2Config +PROCESSED_LAST := repository-wrapper +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount cmpv2Config TO_FILTER := $(COMMON_CHARTS_DIR) $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm diff --git a/kubernetes/common/cassandra/Chart.yaml b/kubernetes/common/cassandra/Chart.yaml index bb4c5b4beb..ee3f4e5355 100644 --- a/kubernetes/common/cassandra/Chart.yaml +++ b/kubernetes/common/cassandra/Chart.yaml @@ -18,15 +18,16 @@ apiVersion: v2 description: ONAP cassandra name: cassandra -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../serviceAccount' + condition: global.cassandra.enableServiceAccount \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml index 9bbc69ba04..2c85a1a01f 100644 --- a/kubernetes/common/cassandra/templates/backup/configmap.yaml +++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.backup.enabled }} apiVersion: v1 kind: ConfigMap @@ -28,3 +29,4 @@ data: {{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml index 27f3cc690d..6db1202b4f 100644 --- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml +++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} apiVersion: batch/v1beta1 kind: CronJob metadata: @@ -37,7 +39,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --app-name - {{ include "common.name" . }} env: - name: NAMESPACE @@ -48,9 +50,23 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: "cassandra-backup-init" image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" command: - /bin/bash - -c @@ -132,9 +148,6 @@ spec: apiVersion: v1 fieldPath: metadata.namespace volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $i := until (int .Values.replicaCount)}} - mountPath: /onap-data/cassandra-{{ $i }} name: data-dir-{{ $i }} @@ -223,13 +236,7 @@ spec: volumeMounts: - name: backup-dir mountPath: /backup - - name: localtime - mountPath: /etc/localtime - readOnly: true volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: scripts configMap: name: {{ include "common.fullname" . }}-configmap @@ -243,3 +250,4 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-backup-data {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml index 10c310077b..e7218fae7d 100644 --- a/kubernetes/common/cassandra/templates/backup/pv.yaml +++ b/kubernetes/common/cassandra/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} --- @@ -39,3 +41,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml index 6fd53618bc..56b3ba8b02 100644 --- a/kubernetes/common/cassandra/templates/backup/pvc.yaml +++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} --- kind: PersistentVolumeClaim @@ -39,3 +41,4 @@ spec: storageClassName: {{ include "common.storageClass" . }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml new file mode 100644 index 0000000000..9f463adf08 --- /dev/null +++ b/kubernetes/common/cassandra/templates/cassOp.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.k8ssandraCluster" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml index ab08c82fef..5510986e54 100644 --- a/kubernetes/common/cassandra/templates/configmap.yaml +++ b/kubernetes/common/cassandra/templates/configmap.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.configOverrides }} apiVersion: v1 kind: ConfigMap @@ -25,3 +26,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml new file mode 100644 index 0000000000..97d6155a09 --- /dev/null +++ b/kubernetes/common/cassandra/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml index a0d998cd07..d18e51d2f4 100644 --- a/kubernetes/common/cassandra/templates/pv.yaml +++ b/kubernetes/common/cassandra/templates/pv.yaml @@ -13,5 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml new file mode 100644 index 0000000000..5a611a9bef --- /dev/null +++ b/kubernetes/common/cassandra/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics +# Copyright © 2019-2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.secretFast" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml index 8934d41c33..8b2e534a5f 100644 --- a/kubernetes/common/cassandra/templates/service.yaml +++ b/kubernetes/common/cassandra/templates/service.yaml @@ -14,4 +14,6 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.headlessService" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml index 5297e692d2..078107393a 100644 --- a/kubernetes/common/cassandra/templates/servicemonitor.yaml +++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 43367ee542..ddaff5c7c0 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -26,19 +27,9 @@ spec: type: {{ .Values.updateStrategy.type }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if or .Values.podAnnotations (and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations) }} - annotations: - {{- if .Values.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} spec: hostNetwork: {{ .Values.hostNetwork }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -47,9 +38,6 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/cassandra - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: cassandra-entrypoint mountPath: /docker-entrypoint.sh subPath: docker-entrypoint.sh @@ -178,9 +166,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- range $key, $value := .Values.configOverrides }} - name: cassandra-config-{{ $key | replace "." "-" }} configMap: @@ -214,3 +199,4 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 43ff171abb..0ab1f0961c 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -21,6 +21,65 @@ global: # global defaults mountPath: /dockerdata-nfs backup: mountPath: /dockerdata-nfs/backup + cassandra: + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + +k8ssandraOperator: + cassandraVersion: 4.1.3 + persistence: + #storageClassName: default + size: 10Gi + config: + clusterName: cassandra + secretName: &secretName cassandra-default-user + superuserName: &superusername cassandra + superuserPassword: &superuserpassword cassandra + casOptions: + authorizer: AllowAllAuthorizer + read_request_timeout: 10000ms + write_request_timeout: 10000ms + counter_write_request_timeout: 15000ms + jvmOptions: + heap_initial_size: 512M + heap_max_size: 8192M + hostNetwork: false + datacenters: + - name: dc1 + size: 3 + reaper: + enabled: true + stargate: + enabled: false + tag: v1.0.77 + size: 1 + jvmOptions: + heapSize: 384Mi + +################################################################# +# Secrets metaconfig +# used to store the default superuser for k8ssandra-operator +################################################################# +secrets: + - uid: *secretName + type: genericKV + externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}' + envs: + - name: username + value: *superusername + - name: password + value: *superuserpassword + +ingress: + enabled: false + service: + - baseaddr: "reaper-dc1" + path: "/webui" + name: "cassandra-dc1-reaper-service" + port: 8080 # application image image: cassandra:3.11.4 @@ -101,16 +160,14 @@ service: podAnnotations: # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001,7199,50051" traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001,7199,50051" + podManagementPolicy: OrderedReady updateStrategy: type: RollingUpdate -ingress: - enabled: false - persistence: enabled: true @@ -152,11 +209,11 @@ configOverrides: {} # Minimum memory for production is 4 CPU cores and 8GB memory resources: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "16Gi" requests: - cpu: 0.2 - memory: 2.5Gi + cpu: "0.2" + memory: "2.5Gi" backup: enabled: false cron: "00 00 * * *" diff --git a/kubernetes/common/cert-wrapper/Chart.yaml b/kubernetes/common/cert-wrapper/Chart.yaml deleted file mode 100644 index c42a319d7c..0000000000 --- a/kubernetes/common/cert-wrapper/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Wrapper chart to allow truststore to be shared among cert-initializer instances -name: cert-wrapper -version: 12.0.0 - -dependencies: - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh deleted file mode 100755 index 96b0c0c0c8..0000000000 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2020-2021 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -CERTS_DIR=${CERTS_DIR:-/certs} -MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} -WORK_DIR=${WORK_DIR:-/updatedTruststore} -ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} -JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} -TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} -SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} - -mkdir -p $WORK_DIR - -# Decrypt and move relevant files to WORK_DIR -for f in $CERTS_DIR/*; do - export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') - export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if echo $f | grep '\.sh$' >/dev/null; then - continue - fi - if echo $f | grep '\.b64$' >/dev/null - then - base64 -d $f > $WORK_DIR/`basename $f .b64` - else - cp $f $WORK_DIR/. - fi -done - -for f in $MORE_CERTS_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - cp $f $WORK_DIR/. - fi -done - -# Prepare truststore output file -if [ "$AAF_ENABLED" = "true" ] - then - echo "AAF is enabled, use 'AAF' truststore" - export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} - else - echo "AAF is disabled, using JRE truststore" - cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -fi - -# Import Custom Certificates -for f in $WORK_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - echo "importing certificate: $f" - keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt - if [ $? != 0 ]; then - echo "failed importing certificate: $f" - exit 1 - fi - fi -done - -# Import certificates to Linux SSL Truststore -cp $CERTS_DIR/*.crt $SSL_WORKDIR/. -cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. -update-ca-certificates -if [ $? != 0 ] - then - echo "failed importing certificates" - exit 1 - else - cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. -fi diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 deleted file mode 100644 index 71b6782c58..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 +++ /dev/null @@ -1,30 +0,0 @@ -MIIGFAIBAzCCBdoGCSqGSIb3DQEHAaCCBcsEggXHMIIFwzCCBb8GCSqGSIb3DQEHBqCCBbAw -ggWsAgEAMIIFpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIYleh/TibnoCAggAgIIF -eGle/QhuHZkU5OjTo1L4MUbBFMGEu2hFNjqzYC3fuvfSIdMUxVZ1vQspIPNiPs1+WZ/lB9vZ -vBkQZ6AyBNTqZlHk5vv1tNyLksZCMRWlPLB/GF8becTuawuC2+IJajmuN5aLG9Fsx9G+bKQ6 -fO/VUq4urhuOEhKtft2wVUrQON0GnDcUemj/OLE6jMWrNlrxVdCqqII8xs5yGr/qfIRtpIVx -NZOAJdlKGZcc47wIG+lXHDeibH4rtObOLSk6mY9bjQ7Omp6HsshOaFDsx/ZWiG1+H7ZRDSSK -v5qWpr5xEhBM66TufMi0Tn8XNUsjkKCar25acH1odQQIQLhpFcqDyKaqFQM/60fvH4CTQ1SA -7vhpfUx9y7t2cEIg8lDEhhOUSRIVr+iw0zhoknPxJLfPuhRDzVKm8KxADCVjVR29K9nBgIrF -IVQ4gW0RRmCcHqBPVoakWs0BdTzhMwWtnxTLkpSLZoMkoi/8wfw7SDhaV4G6qXXqvDVaWbwR -nqpZWeQBRDSqOEmsPuLzq2J1Ls/v9J5ZQpeqyyYinGCjUUlC+fE6nhCrNsHeWTOlmBUyh/kA -WDAx1LgctqTwgIpPrJzkjPCfIuJyO7lhHFyBK8j/8NwMUgA5zBismhtQ3kQ3GBmTCm1cFkdz -AR4cV30244Oe3GmJG8ZUWiTjIuq2Eo4ISUR1h50uXlCja9n9n964wPJkNJyHyUa5cqz/EAkM -vzeL0VNW7Jpym3gRxNLqYILFBjZnhC7R9RhHciHYwIEEMj9WywDE6hDZqFReI6N3ZQNIWnHt -Je6e1YFwduGWnQFnL33XZi7ZqVY9Pr7mwu9c/LaCUuwDwy2rtAY50cnpp9CfbIp3oD33sfNe -LMmCcEkRvl/BNMtifnWnsaiCCoUZxLe6d8JWudu4r8M+bdoIkqoIUSyhuIsjjKnYAE/wmZvy -nphgC9tN1g5rY5CxqEQXyGvaD/lRgxpchKqwFFF89dEU27llLPneRSiIpth/pnip104N7H/+ -I5RaHNfaiNTUGLJSqmewCPCKritGJogqaBCj8oiI8uGovQZEYd8kgaDao8FCrpOFaHFhlUxd -fltyOZImAQ4cLEywj9VZFz/AriV+FZWe0VS1A6pBCknwZJBBJPKSQ4fAoDwAWmQsiHRE6h/N -OcD9zh4XqnCgy2f07SOPBf8AnLoe9XJXVm5T6xG8ZwfrmtDYk9Ze2VTxFJsolcaz/58JqSe3 -2mc3nuQqhZEzP7bWoD68ekykfbm2qJcC82fxYKkooNJ1T/Aagh+Vxsc8t/ubAEAKzz4fXZY5 -hO2zuk3AIn6WkwKZwoHfuCXXH1o3vlGsQx59N2kvifNUZf5ZzSbHIB8Hefckh0W9FMYE99de -lKdv5H4BSIiZ4v7r/0AkiV0M6WJOdogkEBIBcE81URAI6uwBuq2vUMyhIlekvmGlfV1+70jR -T22rjPiaswc8+GqDoI1kRrEwHHYT8O2JLBkSBv9A6LkCJPNt2bepPnJM7OyShQ0srmwdZOpY -0YcDZwbWVQNPZqtvZJl860mMisXO9MRIBS1udkL2SgzWYNpgGJN/vaRgjQiDyN9B4x8a+5sx -7fCLzmcxHeP7eYBkmH4guPCRr8VZboQanShKje3iS6ukKI15aD9FnzGn3TwrMyLTqzvBZSct -yM5Ew7cwUe67OKAXATaLc3AK5OBAqyLGMsi5Q1C8Hd/zqu6tQ/aRUpqfocRIIVrO+zEVfPfA -DOTtA7y6FHY00J2WwOkmZ9CkUWURFadA1+w3oIvlAxMDTfvEstOfvIs5TJalPRjsQYFW2875 -9IQ01SN7jFYKGWzGfsdtDrEJC3157J9Kjy56QUNgYKVaYe0V26Olwir3mAGH4dSaQMVsMDEw -ITAJBgUrDgMCGgUABBTxE9oEHuqG7KvR83sl8JdO+A6MxAQIwdEAxeLiamcCAggA - diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 deleted file mode 100644 index 4a92325b19..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 +++ /dev/null @@ -1,2733 +0,0 @@ -/u3+7QAAAAIAAACBAAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290Y2EAAAF8EFmtSAAFWC41 -MDkAAAO7MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYx -MTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy -dCBBc3N1cmVkIElEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt -DhXO5EOAXLGH87dg+XESpa7cJpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qP -kKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5 -a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 -VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/AUaG9ih5 -yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMBAAGjYzBhMA4GA1Ud -DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF66Kv9JLLgjEtUYunpyGd -823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOC -AQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lF -WJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJ -Kusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5Q -Z7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe -+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8gAAAAIAFWFuZnNl -Y3VyZXNlcnZlcnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAABfMwggXvMIID16ADAgECAggN0+O8 -bPlrsTANBgkqhkiG9w0BAQsFADCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF -UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYDVQQLEwtB -TkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTAeFw0xOTA5 -MDQxMDAwMzhaFw0zOTA4MzAxMDAwMzhaMIGEMRIwEAYDVQQFEwlHNjMyODc1MTAxCzAJBgNV -BAYTAkVTMScwJQYDVQQKEx5BTkYgQXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24xFDASBgNV -BAsTC0FORiBDQSBSYWl6MSIwIAYDVQQDExlBTkYgU2VjdXJlIFNlcnZlciBSb290IENBMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2+trK+ZkVJWCkKNypBkBnZwLgV9zSbqn -rPMETnuWC+wR4FumHM4b0g2DHCu4nh1+RTJgDwfpd1h+n2rIYU62JsFMjf9M7zSyH2XYuXj1 -ralxue9PWB2l3nQgl6HtaEzekhdLvKv/ZZqe+0fZV3LzCaGudkQTbpwtRDm8+cc7pFg9Qb20 -wkmjyA3Sly8HZVIAp27Ir2js9BSWtlcfVsM5nytt5PM+9jVk2gwcoYRLL0tL4iwknW2TQOu1 -I44yym9F06iJex7PHvpbQ4vNzagPasoMXrmeR4/w2bYKC1hlFzO5I+R3GX3LSi6Se08vEHex -jS9onGLM4FD47JGnVExXCdV2Y8XoZR7ubWrPCZ36fE+tYAj9VpkPFSx7qYCrjGGPSgd2Qt49 -9N2yJDNbuLWjRMmsf3c8HSPsgqmm4sgGTAL+rFyZmQsvEIqm9H/Vh3QNWUlF9vBxXDkp1r9K -I4v1XwFj0odzKLVLCvX4q4IsfnMlMh0LYwoXgQD/tnZe57SxQMohu9WAUeVIUmcs0mGJBw0P -zkJ3wERznERQoNsQCi2VHIGv5BzlFB7xNkEBAi99c6feQsxM6YkNVvefkdQDxmzJj9vYHOBA -mF1mmZiAbi3/AcXOy0YfrALGQ+auooQ8xU4ePW3JFEzjLkG7yjm/NjwqGapBh06lzksyed2Q -SX8CAwEAAaNjMGEwHwYDVR0jBBgwFoAUnF/QbGOjX5PKk5gIrYyHpSxcwTcwHQYDVR0OBBYE -FJxf0Gxjo1+TypOYCK2Mh6UsXME3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4ICAQBOHrmKxqCYP27DacBqXElSrMsrXXg4wdVUhJ+T8IcZPSxm -iesNQvzM8HWFP4v0gF155RdnvTWC4vI8jn1bNstagAAp8s4rLPGPqm0Fk2xyx1br31AjKOVF -ED3oZ6OvDlUPkAli70tZovZT8cA15C/BJL15L04gIjv9GiCwpA4scO10P7gTlQZRyOiHJsqk -W2oWIZLdc2CeEBjePIHq6BjDfInyi1A+vRHiFQOoNn0zAWxIFdeIkJkExczmB/S89JDtE+Lq -i8OPozMPwSlME07aFVZxc3KCUPaaM3yisagaNHRlXM7R66tT4BqA2Oo6SeQmMJvlHIqoqRUy -hpmSChAjVhLg9s5M4ru+242ScwFmL2I+snInRTbtTVbjl5n/OjU+pVRKUllLYNvu/ngRf0rc -FHlgtmtkA9sVg+GivvYjl1DwCTM2p3GWJfO5Qn3bOD8sWKzoQuEO2NM7TC6C6YMuazHZ3UeG -T22XkS5P4ihxNRbR8nP+JSsHRyRjJ8j49tlr/BIxVgjAU0KvnNAzfvwG8DFEAxTxWOryag2p -EbKDvsUavwfqWdyjiDXvnHYyPE0GIs4V5d2e2I/a3tLEOeUXgc84R+t/iG1ZG9+fQhSufs+o -sGZl2jevn6o96ii23tUxWBaCW+q7GXUCcxrKSBohk5AKjpOEp307IxiSiaCNrAAAAAIAFWFm -ZmlybXRydXN0Y29tbWVyY2lhbAAAAXwQWa1IAAVYLjUwOQAAA1AwggNMMIICNKADAgECAgh3 -dwYnJqmxfDANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJt -VHJ1c3QxHzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwHhcNMTAwMTI5MTQwNjA2 -WhcNMzAxMjMxMTQwNjA2WjBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3Qx -HzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQD2G09nByuhFfUGIssfAbLjc0UGREksu0klFNbOw7erLE/GQTKUV/oSp1sO -4o8fHoYZp6q1LblfDYrCr4U1eTItuxxiN/KxW0o9ys1xX+lCvpToyN75IkhkxuWrxittrQXw -+tULz5rl8FCkiztHpSNbenr4Mz+475mX4yDB1iiJz5T7uUXt40AXEdR08Asx4ismaptMV66s -ID66RXoF872baRWufU4gY8Q1djoHAsk3/cdH7ujxdh1zFfKXpLXIennZQqorf1z+ziZPo2aB -Na9EulQeHDAyZZ3mPJNeUE564zrUbswa+/nSN64kKqtXAyIoDUl1f7co2nW/juPcDnkxAgMB -AAGjQjBAMB0GA1UdDgQWBBSdk8ZTi17Krz+fHg/lmZW8JPaUjzAPBgNVHRMBAf8EBTADAQH/ -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWKz0BA7NwA3/Cv3UuhZfKb17 -aJlYSdK0HTdNfyd9RgZdQ8aGLj5zsiZ9T5OptsQqmqshlxSx3ozTq4kV2Gsk1PEWrtikXNR/ -UY7tGAGxk2O9vPhhgJqesc5CcOKpfQYlfSeh/m/ssx4k2uNLVRoAOzW0O9nXXTD9gROJ8sIG -K+1nxI7JQ7JcaxWJArxi/E7ytTOqsm/TCqJQ4/Y76C5EwttmOKkzVkjxbRszjQ2MP2A3ndPK -bX40fg2fcnaLG59y/VI1QUUCli8csppzSSGxSUdFR7TvajQRyU2azFm31gKeWk5ltZSuG98p -sBbxvwCeBzoXZLUEtSMhmQqVO5d87wAAAAIALHRydXN0d2F2ZWdsb2JhbGVjY3AyNTZjZXJ0 -aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAACZDCCAmAwggIHoAMCAQICDA1q -Xwg/KFw+UZXfXTAKBggqhkjOPQQDAjCBkTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlu -b2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIElu -Yy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAyNTYgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMTcwODIzMTkzNTEwWhcNNDIwODIzMTkzNTEwWjCBkTELMAkGA1UEBhMC -VVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVz -dHdhdmUgSG9sZGluZ3MsIEluYy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAy -NTYgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR+ -+2zmI+NzMgjKYOZTnLp0jRiweJBSgN04wEod0ajMk6SXBjjKDRVixo4BKmWdqt80kS6BweQz -kjHE/Qk6pj+to0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0O -BBYEFKNBBqyQbdFK63WlShCZs7Ghi0r3MAoGCCqGSM49BAMCA0cAMEQCIAfmVNoOoFqyrhGf -h8W2/2neJb74oLcI80TOKt8IIQw3AiAtJgOgBb1r0fZc+GXMhm2znDRIY4QJxY13GuLMnOF0 -ewAAAAIAGXQtdGVsZXNlY2dsb2JhbHJvb3RjbGFzczMAAAF8EFmtSAAFWC41MDkAAAPHMIID -wzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM -IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVt -cyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMw -HhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNV -BAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lz -dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNz -IDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4 -t/zN8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyT -PWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMz -VNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNz -kQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIx -O0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P -AQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsF -AAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp -4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3 -wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT91Q+ -gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPIm -NC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWwAAAAIAGXQt -dGVsZXNlY2dsb2JhbHJvb3RjbGFzczIAAAF8EFmtSAAFWC41MDkAAAPHMIIDwzCCAqugAwIB -AgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVt -cyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD -ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAx -MTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz -dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVz -dCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nz -HoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTN -uUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzp -esVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfF -mPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14 -np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOi -YQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC -uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q -/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO -4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lD -fMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6FuwgAAAAIAH2NvbW9kb2VjY2Nl -cnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKNMIICiTCCAg+gAwIBAgIQ -H0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT -EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP -IENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDgwMzA2MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZ -BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR -Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSRFtSrYpn1PlIL -Bs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0JcfRK9ChQtP6IHG4/bC8v -CVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nT -eTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA -7wNbeqy3eApyt4jf/7VGFAkK+qDmfQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8 -SaczepBGR7NjfRObTrdvGDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdYAAAACABRzd2lz -c3NpZ25zaWx2ZXJjYS1nMgAAAXwQWa1IAAVYLjUwOQAABcEwggW9MIIDpaADAgECAghPG9Qv -VLsvSzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWdu -IEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDYxMDI1MDgzMjQ2 -WhcNMzYxMDI1MDgzMjQ2WjBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFH -MSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQDE8Yd/03gx9zjJ+MOZQ7zH97w3505xukuPpXMdXG6YrgNXrjg3Qy8X -PR/IzmgQwXiuGQMrEPoseYP26LlouVXyBESnOfn8BIse8aJNJ/lhe7q35aITtuthPtBs0eb7 -+l7tHbSeoDVboZLL8EmS/oUKBT7m2QviT7vclTf8kekyNSLRHzpOJ4WdsBWUMtphDUdNYEKu -kkfog1pQWOmKi7ldodzdmUofNme7SOSDtjfrSDqvD2ePFwfoBMrvajGH1MC2+ZRxe2dkuLaR -SkJ7ZS4wagz1kO6V5vLNguzZoUrs9rJL5UWF5m14kwQunIJtNqnEMWQfhoMLKvQ1CnjJVc9B -sEfpMJ+ZvmGoBoS5KHpfONkbqTiwg39zwcM7SCqCDyGbuMyoNcOEG4OzPr6klWkBOokAeATZ -yfSZGatWfluLhjkVkaQQLAkygGCzk8AqthgLnX6NSfIQSn/51UYvGZKjmacmrLuMPOYOvEcH -3HNR8XBkLwj5tEcdMGxE6ik3hZJoZryDOP57OS7TUPAf+15gtqmm+idB8ZsYcvL1hHRKyWfE -VK5IZN+M0W6wHeEHjwgemZxx6UzYpfdHEh900VGehvPCoiNAC3PbS6bncwaMwaDpwVmsRvrm -L/jPcZxGbbnEFY04eQNFSO/EXdcI7oc5IoayDQ9YQ/dxqUgu/erWHwIDAQABo4GsMIGpMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXoM3B5EG2Ols7y0Wd -vRzCmPqGWDAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqGWDBGBgNVHSAEPzA9MDsG -CWCFdAFZAQMBATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24u -Y29tLzANBgkqhkiG9w0BAQUFAAOCAgEAc8aB4CfSLQ/glTDimkF/UCxfX2JhqYZqaRgMdEnW -XYTqQVIYb1itUFYgasa9KGlYkdyRETWpOh28GqVgntgff0WRadl+u3hywQYPKs6PhXBhrKDN -C7g5KVaEMk6Guz3EKtnXH3Lu/lGhIkGxcQJjGoKwYqteVxIf38vddaDAXXmQjBvgUObeMf6Y -e3BfpZDYrfgCtm/TYN1ASyLFPa06ep8aGkeReTO6gtwyaQOWbh9L8HH+42dyoLG/XIvk+pki -x4S5G40jlz/tJeDPZbv1YQTv3R6yWkEiWqGfXSzoW8ltqQwMeKpgxlaPAVoMaLxpGXnEH36X -Bb/F6SRRXtTVS1Pt2SNaNgNlo8EDrUEw80YbhZCvZbXVseQWW3h1HZd6bVmpKo973sOHiRCZ -SXN4yD29UTV0KtXxfmkbKrs7vSW4mlo9cmGQZofuDNZN1BF0C2r+CwP8o1VXif5Ky65bFwXI -8o0jMVM40i1qP4K5jQhq915BdG7DEX4HrClgkT84ylcQDb0wL8el5kGg2q4Fh5qgpGVsTAkM -ibq407nAk4ow+o3lmmsVAU5nqtpiVj6ECGbSxDZ9pz4Q/Ijg1IDlAL2q804Go3pq+WJy4wlP -65sOASPxn7t83NxsEZclsvK0YxTSBipnjIP1zuoH2JpqHuzkCrsqTOsJYDnOymLYLm4AAAAC -AA1jYWRpc2lncm9vdHIyAAABfBBZrUgABVguNTA5AAAFbTCCBWkwggNRoAMCAQICCQCSuIjb -sIrBYzANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJTSzETMBEGA1UEBxMKQnJhdGlzbGF2 -YTETMBEGA1UEChMKRGlzaWcgYS5zLjEZMBcGA1UEAxMQQ0EgRGlzaWcgUm9vdCBSMjAeFw0x -MjA3MTkwOTE1MzBaFw00MjA3MTkwOTE1MzBaMFIxCzAJBgNVBAYTAlNLMRMwEQYDVQQHEwpC -cmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMuMRkwFwYDVQQDExBDQSBEaXNpZyBSb290 -IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoqPEAAnWhV0tbRT2wsNznjXC -cVV+gfurRlDgwXxJeOareVg82v98HJ/YlwJ4PmtBBOlBvb4DLEX2L2TUq12jRz1km+lomsbM -Gz+6vrKLNAIumFUZ/Ixvql/aTM5NAyGj2NI0k1aWy0wMABY8XxrNyMdspq3TMae86OXhZtbS -+wO0QWXJEK4OBWPGgGppMP3S7pDvDSffn5Vz9OEl2mwW3kE4NOqL/NHoBBRhLUF+rMd3TstR -VPtekhgbBFpoxsnE+rcToJi3ESu31lfMfJ4X0csl/oZOJC5WDHhNngESpiunAWVufGIdhITf -6sBrtaUqlYPDUxEMcx0LskaQ0UI6zkBula3/xpStbpeEjn1vnoqADUltc+J7kh7D88Hz6y4F -b9kbzzd2BMi0WuQXp8vddh/QGXboLAWz1pw02JbcYYeRBeRECDPB2rkIZdSusjYN67o4ugzl -m57rjWbdmc/WiUH2BJKKKSltazoc53V9AnEO88DnvcsZ3Z1gssJmYLaxBO7J5oa5mmZAqOcR -7YFFA4v2Z1nowQYRvd3PgAJPZUB4XEdQyJvmH4F75ESoW4Wa4t5a1cf5OkRmS+QyVHzkbJyz -Dj0XorI0EtZ+sqhJu9F6KEC+ohYf3+Q3HxFz+5AKZUOiDXz4BgFVM32wDbj09a6lQld8NhGM -e17EA52MeZ0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFLWZ+K+wlPXjINYKrc5OVqQubkLtMA0GCSqGSIb3DQEBCwUAA4ICAQAmBl5w52Uz -yIJu2ZwXOht6ZrIB9ng7aV4v6v9O+SjDmCphTLQkEop9bREU95y1yua8nieOTBnIqb16wNc2 -Dm2Fcm6oxqJt9vpzY3+8bnkIHJ2KnxqKU6bYu9k1VbERxakDs1Y7uYSTIl5+wfYSUovqLGe8 -/jZM9bjP0bNJkjvTKQ6ZG5b3Ybg7xCu2eGy0I2/w/dOyXnUfmZWorPba4cUxe/vRRrPSvGe0 -YlS6CfdjsJOimvnpUi6LYBKr/PVgVu8QXIvEGkLcg1tkDsu1vNZPwXw8bo0Tbft76zDQ3E2v -xdW2pUxbccnoMb7oOAZIoRri6tLeEjlYGv+ADoJ15rfJB2wO7/848ZhxxLd/DhXQJWm9Ip0r -7QX2Rkes7cDw1Dvi7O6WW5ATTh5WOuuw75a7liMRuvJDhnRklcgodd8dNbrSN4M4Uzg2O89s -6flrDtD7BOhPd9dlAXiGDHo+IWLxf2NxDMmfRNuoJ6J1vm6BPtfA6xuYD3BcNLKKzMCFGOtu -erP3WqEHv6lCkvNgIpfkFKEHm052wI59/aQlx0ft/x9zrMzDpelvCo6bZcJQhbWjoFMSzFWH -YfOBrhBGYb1EIbjCPXTPfiQ1+hwHDps9IsrvMS+MrBK970Ao/Clnn7ITT2YkxFMZ6R4pFe/m -bbB/LWf982wbdUaj5UoX6aTXCwAAAAIADXNlY3VyZXRydXN0Y2EAAAF8EFmtSAAFWC41MDkA -AAO8MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBIMQsw -CQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNVBAMT -DlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDELMAkG -A1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQDEw5T -ZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2 -FI7CT8rU4niVWJxB4Q2ZQCQXOZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjG -nx29vo6pQT64lO0pGtSO0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLI -XgGZbf2IzIaowW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2 -pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS8kvN -U3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjATBgkrBgEEAYI3 -FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQjK2 -FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5zZWN1cmV0 -cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEB -ADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh -/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fii -u1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvn -ZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR3ItH -uuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jEAAAACAAlhY2N2cmFp -ejEAAAF8EFmtSAAFWC41MDkAAAfXMIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcN -AQEFBQAwQjESMBAGA1UEAwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQK -DARBQ0NWMQswCQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIx -EjAQBgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUNDVjEL -MAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCbqau/YUqXry+X -Zpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoYHtiP2Ra8EEg2XPBjs5Ba -XCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWoG2ioPej0RGy9ocLLA76MPhMAhN9K -SMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpAlHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvY -vEyNKKGno6e6Ak4l0Squ7a4DIrhrIA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MC -QvtQqR0tkw8jq8bBD5L/0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9w -rqODJerWx5eHk6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2 -x/474KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMOm3WR -5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpacXpkatcnYGMN -285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPluUsXQA+xtrn13k/c4LOs -OxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYIKwYBBQUHAQEEcTBvMEwGCCsGAQUF -BzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmlsZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRv -cy9yYWl6YWNjdjEuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1Ud -DgQWBBTSh7Tj3zcnk1X2VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA -FNKHtOPfNyeTVfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCC -ASIGCCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUAcgB0 -AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEAQwBDAFYAIAAo -AEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA7QBhACAAeQAgAEMAZQBy -AHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQAcgDzAG4AaQBjAGEALAAgAEMASQBG -ACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAAQwBQAFMAIABlAG4AIABoAHQAdABwADoALwAv -AHcAdwB3AC4AYQBjAGMAdgAuAGUAczAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVz -L2xlZ2lzbGFjaW9uX2MuaHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5l -cy9maWxlYWRtaW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4G -A1UdDwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEFBQAD -ggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdpD70ER9m+27Up -2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gUJyCpZET/LtZ1qmxNYEAZ -SUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+mAM/EKXMRNt6GGT6d7hmKG9Ww7Y49 -nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepDvV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt -3OAJTS+xJlsndQAJxGJ3KQhfnlmstn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4n -Qeit2hW3sCPdK6jT2iWH7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBg -vgW1m54ERL5hI6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG -7szAh1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xFd3+Y -J5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2HpPVWQxaZLPSk -VrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7AAAAAgAhZW50cnVzdHJvb3RjZXJ0aWZp -Y2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAElTCCBJEwggN5oAMCAQICBEVrUFQw -DQYJKoZIhvcNAQEFBQAwgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu -MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZl -cmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1 -c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcyMDIzNDJaFw0yNjEx -MjcyMDUzNDJaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcG -A1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNl -MR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRFbnRydXN0IFJv -b3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC2lbZDQvrGbSpvSN+UTDlXBe7DeRFBaDbt7P6aAY+hOCj89xBGZi5NHhqxGk7G0cCV -iLDJ/zGLMwPbt4N7PiCEXu2yViin+OC5QHE3xctHDpcqaMAilWIV20fZ9dAr/4JLya0+3kzb -kIBQPwmKhADsMAo9GM37/SpZmiOVFyxFnh9uQ3ltDFyY/kinxSNHXF79bucetPZoRdGGg1ui -io2x4ymA/iVxiK2+vI+sUpZLqlGN5BMxGehOTZ/brLNq1bw5VHHKenp/kN19HYDZgbtZJsIR -/uaT4veA5GX7NDcOKYBwTa84hi6ef1evnheu6xzLKCFfthzY56IEIvnT2tjLAgMBAAGjgbAw -ga0wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wKwYDVR0QBCQwIoAPMjAwNjEx -MjcyMDIzNDJagQ8yMDI2MTEyNzIwNTM0MlowHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdL -Q/uEvW0wHQYDVR0OBBYEFGiQ5GekplOAx4ZmpPH3S0P7hL1tMB0GCSqGSIb2fQdBAAQQMA4b -CFY3LjE6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEAk9QwsNcDICrQ+WPokQwFIKlfGcp7 -ck7UsdvQlvtUWhksDAj3sryFqJ1/bTtSsyrb59SEjGP2D8smAZFQbPRfFOKTdMATnjA6UOO0 -YMUc8CJEjXFHrMgayembmgBgE/9wfl8RTUkbsxVSe8lU2r+dla9rmtie6fHkQ43iEUQ6v6+9 -g0JzUouqu6cpz/VkHApN0byqrJ8q0P9/f9p96rHtMCXBhNo00lt4g1bsnDbDJuIR9mdJHZKr -jPvr/3ruhUqnUIDwp1xKlC5fBZk8UkHgzbRjzwFDupyD3I9gO/NatLR7rtoLkDh174EdZtL3 -V3A2s7/8KK9xJYVbE/4ef1q0PAAAAAIAHGlkZW50cnVzdHB1YmxpY3NlY3RvcnJvb3RjYTEA -AAF8EFmtSAAFWC41MDkAAAVqMIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkq -hkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQD -EyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN -MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYD -VQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7ekosMSqMjbCpwzFrqHd2hCa2 -rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6Hi9e28tzQa68ALBKK0CyrOE7 -S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qr -ng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMb -XcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGw -yj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy -9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9VGxyhLrXH -Fub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctscvG29ZV/v -iDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKiq3IXAAaO -ReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQABo0IwQDAO -BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFr -lJPrw6PRFKMwDQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnY -Wv6IAcVYpZmxI1Qjt2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa -5hV+rVHVDRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9 -TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8GlwmEKYBh -Hfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqymm9li1Jf -PFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4DfWN88uieW4oA0beOY02QnrEh+ -KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5+bl53B/N66+rDt0b20XkeucC4pVd/Gnw -U2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nz -fxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCd -Uyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c -AAAAAgAkZW50cnVzdC5uZXRwcmVtaXVtMjA0OHNlY3VyZXNlcnZlcmNhAAABfBBZrUgABVgu -NTA5AAAELjCCBCowggMSoAMCAQICBDhj3vgwDQYJKoZIhvcNAQEFBQAwgbQxFDASBgNVBAoT -C0VudHJ1c3QubmV0MUAwPgYDVQQLFDd3d3cuZW50cnVzdC5uZXQvQ1BTXzIwNDggaW5jb3Jw -LiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5l -dCBMaW1pdGVkMTMwMQYDVQQDEypFbnRydXN0Lm5ldCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSAoMjA0OCkwHhcNOTkxMjI0MTc1MDUxWhcNMjkwNzI0MTQxNTEyWjCBtDEUMBIGA1UEChML -RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAu -IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0 -IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -ICgyMDQ4KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1NS6kShrLqoyAHFRZk -KitL0b8LSk2O7YB2pWe3eEDAc0LIaMDbUyvdXrh2mDWTixqdfBM6Dh9btx7P5SQUHrGBqY19 -uMxrSwPxAgzcq6VAJAB/dJShnQgps4gL9Yd3nVXN5MN+12pkq4UUhpVblzJQbz3IumYM4/y9 -uEnBdolJGf3AqL2Jo2cvxp+8cRlguC3pLMmQdmZ7lOKveNZlU1081pyyzykD+S+kULLUSM4F -MlWK/bJkTA7kmAd123/fuQhVYIUwKfl7SKRphuM1Px6GXXp6Fb3vAI4VIlQXAJAmk7wOSWiR -v/hH052VQsEOTd9vJs/DGCFiZkNw1tXAB+ECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMA0GCSqGSIb3 -DQEBBQUAA4IBAQA7m49WmzDnU5l8enmnTZfXGZWQ+wYfyjN8RmOPlmYk+kAbISfK5nJz8k/+ -MZn9yAxMaFPGgIITmPq2rdpdPfHObvYVEZSCDO4/la8Rqw/XL94fA49XLB7Ju5oaRJXrGE+m -H819VxAvmwQJWoS1btgdOuHWntFseV55HBTF49BMkztlPO3fPb6m5ZUaw7UZw71eW7v/I+9o -GcsSkydcAy1vMNAethqs3lr30aqoJ6b+eYHEeZkzV7oSsKngQmyTylbe/m2ECwiLfo3q15gh -xvPnPHkvXpzRTBWN4ewiN8yaQwuX3ICQjbNnm29ICBVWz7/xK3xemnbpWZDFfIM1EWVRAAAA -AgAOc2VjdXJlZ2xvYmFsY2EAAAF8EFmtSAAFWC41MDkAAAPAMIIDvDCCAqSgAwIBAgIQB1Yi -pOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcN -MDYxMTA3MTk0MjI4WhcNMjkxMjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ -iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa/FHtaMbQ -bqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJjnIFHovdRIWCQtBJ -wB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnIHmX5k/Wq8VLcmZg9pYYaDDUz -+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgb -EplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0wgZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmk -MDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3Js -MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L -URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXOH0jOZvQ8 -QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9MmI50mD1hp/Ed+stCN -i5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbYiNE6KTCEztI5gGIbqMdXSbxq -VVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xcf8LDmBxrThaA63p4ZUWiABqvDA1VZDRI -uJK58bRQKfJPIx/abKwfROHdI3hRW8cWAAAAAgAgbmV0bG9ja2FyYW55KGNsYXNzZ29sZClm -dGFuc3R2bnkAAAF8EFmtSAAFWC41MDkAAAQZMIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqG -SIb3DQEBCwUAMIGnMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoM -DE5ldExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZp -Y2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkg -RsWRdGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCBpzEL -MAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRMb2NrIEtmdC4x -NzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlmaWNhdGlvbiBTZXJ2aWNl -cykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNzIEdvbGQpIEbFkXRhbsO6c8OtdHbD -oW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBF -HjzuZ9lk4BqKf8owyoPjIMHj9DrTlF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw -/HpYzY6b7cNGbIRwXdrzAZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaae -VtAkH3B5r9s5VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8f -xmRGILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2BJtr -+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAGAQH/AgEEMA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2MU9+D15YwDQYJKoZIhvcN -AQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRhbvG5GK1Krf6BQCOUL/t1fC8oS2Ik -gYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY -0fsFskZ1FSNqb4VjMIDw1Z4fKRzCbLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+ -pRVjodSVh/GeufOJ8z2FuLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aUL -NmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7EAAAAC -ABN0ZWxpYXNvbmVyYXJvb3RjYXYxAAABfBBZrUgABVguNTA5AAAFPDCCBTgwggMgoAMCAQIC -EQCVvhag9y5G8Xs5gnL6i82WMA0GCSqGSIb3DQEBBQUAMDcxFDASBgNVBAoMC1RlbGlhU29u -ZXJhMR8wHQYDVQQDDBZUZWxpYVNvbmVyYSBSb290IENBIHYxMB4XDTA3MTAxODEyMDA1MFoX -DTMyMTAxODEyMDA1MFowNzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlh -U29uZXJhIFJvb3QgQ0EgdjEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCvusn -8CGj82kmVX6dxVUWkVz97yG/U4B6LdKRjGMx8Owk8MOl0nJ8EG30N7fl5nx56oy1gouuSLas -ANxldewqTV/Bh/UgZSuBqEc+iSOVMBaQf+hXB0jnGa6/RWexNxsGKv7e+ax9g/teuuSPl2e+ -S46NZAdXOFVpNDY9E0jvT+LTZh6kzxq3XjYz1LQGvRgB/XeEUABF9Yxd6CO8fv414e1Qe6kw -jRnTCY5oZ12/PJcYU7spYsXKXnLBx5bU2y2gtB9pA+zq4lDxDDzwrPNTLfAc9e1sOTlzgBbI -UrAjzeA+3N08R6C7NYrimGiLvuW/cu7S+qXtEu38mBipJnbcKEsQIBzTfxZ3Le1vgPdJu1MF -u11ox9TIdRY/iVqL9xdH1Ezx0ol5Pk09mKhh3joe0vheA+DByRyM041N05U2szdfY2ObMxTw -LSZrU3yJjDLCbuw9IQA5yaFo4lCDLrA6K/M2oKwv5G9hwlEJOT6LU7m7Z9rcU7l2WTadQ+Ug -4D0yYIUiUbfHM7vdFS+keKYHe4FGNgSG3Xk1x5UsO7CjFzXlcx+0XFnv2uoQZXt60H+fs7Qq -Nztwi5tbuSu37LJREpdTKVrU8BIQ3E8CuxKSL2LUP2lDfA3W/Fh1AYidWBZL3rqQ/0cBiQZq -9l+ykGqzAqYCiL+zR34q2dX6aHg1TQIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud -DwQEAwIBBjAdBgNVHQ4EFgQU8I9ZOACz9Y+algzV6/p7qhfoExIwDQYJKoZIhvcNAQEFBQAD -ggIBAL7kXGJOJPQMCP/w0wxo5JNJIj9EJ2+7bd6DZs6ozA389ZoG5XcUkeudQXuZKoTl//wh -wV3w5B9Xt3WpoV8CJv/Xx/dO3k/49xxGwHpPQCwiNfAZsdBrZyywqODAQDc19oRcXOOvQnj+ -p8kNUOoNhHb2Ue+DU8Z6/w5WSS6PetYM5idU400KYHJizZEH1qW/yJlr7cQZ5qtMETjFbzHi -bknIP3aAJgMmKeA29vYgU+MXcDQXnWNoHmvsw02GuBMwL11GDUdD1RuqWQ65XI0GSK10h1/H -/DFUQRPixyEOnuAeDeHAe0OFkMWKWMZlCnhX8sYjDwHZIEveD/uShXUqXHONbXslkcruRa4G -SwDM07FZUNo6iDspQ0ZelytUzlNvjUrnlvq/cQ5Ci3z9KKDQSMraxIFMu6JzkybI6wzWJoi2 -wCTPu71b63V96QiOhjMseXcJaaWJ/LNwkId2j9Miu0LOvXMLICYq0Js9cB4kbM2HdqkXlrfP -DZL7jhipmEnRnv5gRHIhuRntwvUx8TlIiJAkdVQWrc70+GkUZDn7o7i6cEDHJxy/xFZT+mNl -0PMcDhb1a4ZYTRjU5A2OpZ1bkdx2JFA/xir72bectdbm0NnoGYsVcUitt+rYWYjUkL8Ws9np -rFlhVMgcusrByuG5IEyPOpOJpaDMv9P2daR1lm1WAAAAAgA0YXV0b3JpZGFkZGVjZXJ0aWZp -Y2FjaW9uZmlybWFwcm9mZXNpb25hbGNpZmE2MjYzNDA2OAAAAXwQWa1IAAVYLjUwOQAABhgw -ggYUMIID/KADAgECAghT7Dvu+7JIXzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJFUzFC -MEAGA1UEAww5QXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24gRmlybWFwcm9mZXNpb25hbCBD -SUYgQTYyNjM0MDY4MB4XDTA5MDUyMDA4MzgxNVoXDTMwMTIzMTA4MzgxNVowUTELMAkGA1UE -BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVz -aW9uYWwgQ0lGIEE2MjYzNDA2ODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMqW -a47q+PvxojXgf0za4MNS1322EMgCXrNDKsRParLKHF0omngRGmlZV6+1IELkiw/m31umA5Iv -9RHkYtcycTjZBAxxqz1Rfg8H32MFXOm/lG/BKYLAtNpRsME8u603SlzK8Us2DiSrv8OEd/2o -UPSx58Yv0i1ZjXoKTpZpUgKqNpjs/PoUgww3H8mSN3/XgS3lxLngPjT+Z/Q+ZtHT9EDPXmI0 -D3AGPiAYWs73chslbJN0FJOjc7EOqocQI1lfIAUZR+1ojpISyl381iuykjwgz+FfryC+oHZ/ -duXsGoZhMz7ne7Q/oA+Oorlqb7mHJm9BbIimUP1qYwv1kxYbGY+y7ZubyZD1AQzfGT0PPjgj -yS+PDNEC/htV1k7QjTyvT6Tz/q8q0wWdeQihy1cxtJzIkLJn9BgWkzr8R9jReJYxH7orDF9d -ma1jiVokIHbY3/2rTqYiqp1e5ieKfWgpo+eKuNoRuxctmZ0TJEb3xeLYn45/x490bVqy6HL1 -rO4kEK0vFNr/LZpGcUe+Qt+7Adv0f9MojzFZW9PJAqa0Uspul/tDxQgmb4r0u/2fKKoN1UXz -Ezod2MB4j0FnPB6UZK57C8Xo2QGIORqXhmRB1TuHDG76D8a9SBS/OU3UnkG2j5YdY5aT2ZUG -eDFonjcGO4CJRWE5I8cbRKMV5Rz4kjC7AgMBAAGjge8wgewwEgYDVR0TAQH/BAgwBgEB/wIB -ATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGXN66s1HgA+ftV0wBy0c0cOGmQvMIGmBgNV -HSAEgZ4wgZswgZgGBFUdIAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9m -ZXNpb25hbC5jb20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEA -IABCAG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAwADEA -NzANBgkqhkiG9w0BAQUFAAOCAgEAF32g+bTdxcXrrUsktaECq92liEqyD1VLK1eMO+Ux3f7E -MvHnW2SWNjIY7KUyd9fjRLbAESqAuT1qbnyb0638w9aj5mQpfNHhOB6CK/8nZa/7FhXELnGE -5bX/+qRHvWQyu/YlhKInQvUgsMITEBHNEBW6QpAq0kThlibrMUgS/SrayQbPdB6pS9WHKPl5 -NJI+LkTo9o9PjzU/JbM53GMqkGsgX8RSEk6XLCqsnZfeSPKjZtvC0oOVpmanniUP6QszkWUK -WsPZVBLdr8NODh8mXg3cs43s1YFw3tJPJAXzbE71TElmjdH/0gslQUj+UYTGQq+ABM/QfmRJ -5PLfouyxTMAqHee0sWWixLzxmPSqcAdjtLjaO0z6QCIwWxGm8AUOxgIDSKuGm4Xd293qonaA -c331nATERY3nuRyLnurXddFysd51ROdCfeJXa33cmbw9gyjqgJONxUxlwXCBuDj8QzGy9gM0 -R7Ks+yIGyx7dF0ccX2a50xqi2hGxpLwjyeS+h/+5lLb4XSBK1F/nvWh7ZfIVHtI6qS3p2Gsk -rJdYREetWRjxIWVw3s40YKhA8fM8pMMoI4z+JzNDQKAXPOvqO7BypqO5SkteFkj0srzIjJLF -nZ+scja8NIA0a6mLksC4F+3sdlP1JAGMsyLoS3xVxp36oxS7ZYVubk8Sfgo8nZUAAAACAA5h -Y3JhaXpmbm10LXJjbQAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg9dk40wZzbI -Bh0ax1SEaQcwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQt -UkNNMRkwFwYDVQQLDBBBQyBSQUlaIEZOTVQtUkNNMB4XDTA4MTAyOTE1NTk1NloXDTMwMDEw -MTAwMDAwMFowOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMRkwFwYDVQQLDBBB -QyBSQUlaIEZOTVQtUkNNMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunGAekyG -bn/IE23Axn0cAJePLAwjuxCaQKkat4eI+JtWavvme46Lko6nJV1ZEds2LrdRFx+pCB8EFyRY -qjdKGN/lOdRX/dfBLJEBkeIi1APAWPx3R+yPPnRDuqw0jU04dmeOsMhvMDNYcVy09Wtu1AFQ -uBN+bEqjSdEgGe68wCkYZafe/u/dCpAh5xpnkkIQmF9PMLw+HEW0ENdoQBTAQPrndxd65guP -ZVs82ZpS27W9nkbPPeuRBQLAlrJ2TE0QljuS+px/D5nfviM1RR4CXP61qJuZJdpe8yLDOfXk -Ki7Txh/EbKrFHGoBBUov0sXBqDQmXWal0gIh+Ri3BvVOmW+oq0xR6M9QGMV3yDkJLEmSMpmo -uxcXebBaxeajxFllRzWDXqnoNQuZu+TNIMabSgY5tWj8IrruVYwrTurzseP8tpma1UL6cU0I -z4ceanF9+dO06aVxgXvCTkeWpfZ2haMoj+mAboFTpW1fuEj5wvk2pi5J/7iWwowHs5uIWPzr -GxzeLXDil5IwoYnjvFWoJ9ZL7ZCti/pjJVktqDXdypczvOXNx53R7O9eDkqQBiZjrbnZNS0H -unZlLKxXj330B5TXgQKWXaMHSdV60Ff5G+dTRnWqsHlCy2hxCOlgvTlpzvSvw1ZAx61Sognk -b4ZHih/rKCddgyCvBMlsVpqLRvUCAwEAAaOBgzCBgDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQU933F/cTomht3ZKf1HaDMv4dgmm0wPgYDVR0gBDcwNTAz -BgRVHSAAMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuY2VydC5mbm10LmVzL2RwY3MvMA0G -CSqGSIb3DQEBCwUAA4ICAQAHkErf8yNO8MOcUWWbnCKiigyF83Mpa03+AeKpDGMBvwRnpZ2Y -X/0BE/rsmmLphv62YtJuTJT7wHVFfGUM+LI3z6wPz41v+Rn3j+we8nCe8Mq477f/djd2W/Zu -iPOvYjIikw06ao4UZgwtU3RXZR7Vst0jgTulZiMnZwmP4XeqQ81lUQjtUVj+5jn5y0eEpBXx -druk7qQ7xF/vsjOWERi3yWW+GOGjpNz6GPnTvBObOXo0utNB+/oyiiq3K4YLaYM4vs2KLgtw -rY0mku4e9QErCtnWl5tu4KgZHDohiwweQK0D591mfvW5IA0D6Jb5gkXUOeCgAF3XmOZ9nmdz -w5oq96uLoToU7zS8Ug6JmJoEQIQdfkVpk1fO6874UHxPHG4EQ5v51jsjGOnqjtFNRo3xO+Rq -yrr7I7eb+pkBKVpYWi3j+dRtDiatwW40vDL4DAX6ZaPbOzeDIunW3HIz/V3yIL12PCPaKPf5 -G+tZZNXcX3J+IPzNibWQZ01iej9OrR3DOf569CgW30H2SIAF1w9ReawQq9TsA2bmarC6MZJC -QGq+OtNy4Wo3VbysHZW3aWHyQ5F05qDTCiRGoQiv1tpFGZbUUx1bhHnwwPdH74uPxQaunUxi -nf9GBPjTybYQJUB1/haqyUpghi+67zB35FTiuISZWICqE4tROk9I9ou2swAAAAIAE2dkY2F0 -cnVzdGF1dGhyNXJvb3QAAAF8EFmtSAAFWC41MDkAAAWMMIIFiDCCA3CgAwIBAgIIfQmX/vBH -6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcg -Q0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVU -SCBSNSBST09UMB4XDTE0MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMC -Q04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQu -MR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJjDp6L3TQsAlFR -wxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBjTnnEt1u9ol2x8kECK62p -OqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+uKU49tm7srsHwJ5uu4/Ts765/94Y9 -cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEjqcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfm -iJqwTTQJ9Cy5WmYqsBebnh52nUpmMUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ -ahsmUPI2JgaQxXABZG12ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7 -ng/Wi64HtloPzgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLM -c3GkL30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeCjGHe -uLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoAHQBUlwbgsQfZ -xw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkCAwEAAaNCMEAwHQYDVR0O -BBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfgp8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9 -nesLqjJHdtJnJO29fDMylyrHBYZmDRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueB -ihhXOYV0GkLH6VsTX4/5COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/ -HipzcEYwv1ryL3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR -8gPfJWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svgIHZ6 -uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io2c9Si1vIY9RC -PqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ8s1uV9JiDnxX -k7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQXR4EzzffHqhmsYzmIGrv/EhOdJhC -rylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrqT8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaAp -JUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0gAAAAIA -Cml6ZW5wZS5jb20AAAF8EFmtSAAFWC41MDkAAAX1MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/h -y/WL1xnmfTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBF -IFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgy -NzI1WjA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6 -ZW5wZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq -scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaOxdgmlOHZ -SOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6HLmYRY2xU+zydcsC8 -Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFXuaOKmMPsOzTFlUFpfnXCPCDF -YbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQDyCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxT -OTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieF -UCbKF7jJeodWLBoBHmy+E60QrLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUb -Qc/hhqfK0GqfvEyNBjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnv -mfzAuU8Lhij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB -QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+HMh3/1ua -D7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2luZm9AaXplbnBlLmNv -baSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYgQTAxMzM3MjYwLVJNZXJjLlZp -dG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBBBgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJy -YW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAxMCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0G -CSqGSIb3DQEBCwUAA4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHz -P7MOeIWblaQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56 -awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwoJNu0FXWu -DYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lwLDXWrzY0tM07+DKo -7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCTVyvehQP5aTfLnnhqBbTFMXiJ -7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGkLhObNA5me0mrZJfQRsN5nXJQY6aYWwa9 -SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJbUjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQ -yVB1/OpaFs4R1+7vUIgtYf8/QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy -2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z -WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxwAAAAIAGm9pc3Rl -d2lzZWtleWdsb2JhbHJvb3RnY2NhAAABfBBZrUgABVguNTA5AAACbTCCAmkwggHvoAMCAQIC -ECEqVgyu2gyrQEW/K6ItOuowCgYIKoZIzj0EAwMwbTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoT -B1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5kYXRpb24gRW5kb3JzZWQxKDAmBgNVBAMT -H09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0MgQ0EwHhcNMTcwNTA5MDk0ODM0WhcNNDIw -NTA5MDk1ODMzWjBtMQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZ -T0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i -YWwgUm9vdCBHQyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABEzpUMDGD3IYvNjxurOJ4nlK -oxana1Qk21H/6vQJJMMLIp/LaieCgQ3SwK8x5HSCbsol2Yx1nfHb0JqiSyF+FqdjkNI51LGH -eF8Ylg9QGzU3D2rG3NkTTaSOkDfmvVsxkaNUMFIwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB -/wQFMAMBAf8wHQYDVR0OBBYEFEiHFKzjw56QYDrXyonu062MtFBmMBAGCSsGAQQBgjcVAQQD -AgEAMAoGCCqGSM49BAMDA2gAMGUCMCbHaVvc1eey58gMjIzD3XmMG2PVyVKUTk2CSnMesoCE -qSXATFptSSlgeBPifkjrZAIxANs0IDII/5pJAraI3hSvXWyZcY0aP4vX4KI2hhwHgjp2U/3C -ou3ve7CAT1gPS1M5vQAAAAIAHWUtdHVncmFjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZ -rUgABVguNTA5AAAGTzCCBkswggQzoAMCAQICCGpoPpxRm8tTMA0GCSqGSIb3DQEBCwUAMIGy -MQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcg -QmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1F -LVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTAeFw0xMzAzMDUxMjA5NDhaFw0yMzAzMDMxMjA5NDhaMIGyMQsw -CQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcgQmls -acWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1FLVR1 -Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL1P5MFUR6F -YlReegv1GAeDrn6vfPfUimulY0M5uUv3w8ZkiT2ULlSAUjk5B0tL3YUHdofMvy+VTMx9pz28 -Rw+YcPiMhR50jpJtG0DRmQ27dW7IqWuawIQxr8pDy+srNOiPl2sBm9UOSgiqW5J0hUPTgK6h -iFuus+peyxaad0TIofZUaM7ej5crultAAgxkF8C1k83h8RNmzgx579GRKKtfoBJSMHMZjo/h -jAeiw7tK8OofFajuJcykRvgbIu+zDkO6LCS4xSxc1Bz4XWS9w5NeKKc/J/GOHtMqUAWjVdnL -5zlTwJiejFRiiyaw932NfOTGnmZCVYJH57JYjWb3B3wuNuZQHD/bQyTFv4ZHebN5HPda9BPs -bPg/4lkfle5CPrmtqDKFSZdG/ksxj1rLrXRHH+mRt98oBCKg1A9d4nlP6myFhr2ops7k+sPh -s67ePFHuyxN8AX+EDl1RlJ4TDLYupUz5OXA2b5bKLgxEVcXK+l0Co9/WZIxaswEKqbUKRxf/ -75FAKo6hRjoxmOUR/My7SVaK/LnQYZpvZWzmw8s+dUn+j6fiicVn151GE04xdjsks54RZYar -f+8d1Pi856xaXLdaR1xVzlW0InFbWwvwz9ygYWTqqddoCmOn4A0/oK/TqtJ+71Gg5lErVZIV -F1PLt2YOZkz4+XVMkOcScMdFAgMBAAGjYzBhMB0GA1UdDgQWBBQu49uySdCcVHlc+icq/sxO -0uhOVDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFC7j27JJ0JxUeVz6Jyr+zE7S6E5U -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEABTc69E23ReJFdSSPtndS6BzY -EJNl8/JZBqQ+HinsXdHQq3zgCpBIeO1OmAOZ/ihgkR0wHbhjfKjmNbX602F25tYHS8ppmrKE -eneTRRcVnyTQmBMS/7ugLv1OTIf4zlyqmBsF4ABGSoKApTOLKNztONPf5T7p/vtZ3WGET9JU -lhNhEz6PgGm+k0e1NUPSWrs9XO+zQkfNO1UTBrAJ2/1j9jqICplvfuHOG1NqRGYjUQh7vFtS -ov0GNzhAYY9KlriQN/hmx3iQABUui61RNVMHqGtorvlOPAcmzQgFcMw5P3a9pdNnJgGGplPS -YDt8Q39ViryVGsEoOUwfQ9KR9HJZirlW/D+0ndpwnHZajENQ7o4wck3f/0n3xqln2W2sAhHi -OhYlp1gIy29TQZxIOEdoM9HXx4/UdCHUwwWQev/OloixFSldI6vQYKEST970F80y5cm/yEOt -/S6O8a/i9Jj6Eh8g2MCnDIXFkPQ7LZYmsSy+TKvrsdKKydt4Ew8eCZ1tjwCfAtrB+h96egnE -SuaIKpefiYv9N19fOs44WYZLr3ELtNjycE+fMhPjsKdX5draQ8uENPIoxOpt9CrvwWt22vt+ -u4U80lPCTb5x4UXR/SNnDRN1+89lZyKdrrAJ0Qn/HTS//iOXN9I5+j0NBgu02zujq29cHbZ+ -6LOCNO0GXCQAAAACAA9xdW92YWRpc3Jvb3RjYTMAAAF8EFmtSAAFWC41MDkAAAahMIIGnTCC -BIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1 -b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMzAeFw0wNjExMjQx -OTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp -cyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDMV0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0C -SzGrvI2RaNggDhoB4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2 -/7FWeUUrH556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd -8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9CabwvvWhDFlaJ -Kjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLTmZw67mtaa7ONt9XO -nMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhebtfZFG4ZM2mnO4SJk8RTVROh -UXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjcT5EOE7zelaTfi5m+rJsziO+1ga8bxiJT -yPbH7pcUsMV8eFLI8M5ud2CEpukqdiDtWAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgi -c6aIDFUhWMXhOp8q3crhkODZc6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUeva -PwV/izLmE1xr/l9A4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCC -AZEwDwYDVR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG -CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0aXR1dGVz -IGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0aWZpY2F0ZSBQb2xp -Y3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudC4wLQYIKwYBBQUHAgEWIWh0 -dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE -FPLAE+CCQz777i9nMpY1XNu4ywLQMG4GA1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQ -oUmkRzBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UE -AxMSUXVvVmFkaXMgUm9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv -92ZVqyM07ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem -d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd+LJ2w/w4 -E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B4f/xI4hROJ/yZlZ2 -5w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadNt54CrnMAyNojA+j56hl0YgCU -yyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6xDYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8n -by1dqnuH/grdS/yO9SbkbnBCbjPsMZ57k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs -9ZgC06DYVYoGmRmioHfRMJ6szHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgW -QgRecCocIdiP4b0jWy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUq -KLsRixeTmJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK -4SVhM7JZG+Ju1zdXtg2pEtoAAAACAA9xdW92YWRpc3Jvb3RjYTIAAAF8EFmtSAAFWC41MDkA -AAW7MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAe -Fw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQK -ExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXz -L4GtMh6QRr+jhiYaHv5+HBg6XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrG -sxDp3MJGF/hd/aTa/55JWpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/ -+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF -60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1ksOR -1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/iUcw6UwxI5g69 -ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIizPtGo/KPaHbDRsSNU30R2 -be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOhD7osFRXql7PSorW+8oyWHhqP -HWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR -2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwID -AQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8 -SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcw -RTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1 -b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2fBluornFdLwUv -Z+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzng/iN/Ae42l9NLmeyhP3Z -RPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/nJrP3MpCYUNQ3cVX2kiF495V5 -+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zs -l0Q80m/DShcK+JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0u -RY/W6ZM/57Es3zrWIozchLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gN -NWQjrLhVoQPRTUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+ -XIWDmbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0ZohEU -GW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y4aOTHcyKJloJ -ONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza8eOx79+Rj1QqCyXBJhnE -UhAFZdWCEOrCMc0uAAAAAgAlZW50cnVzdHJvb3RjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWVj -MQAAAXwQWa1IAAVYLjUwOQAAAv0wggL5MIICgKADAgECAg0Apot5KQAAAABQ0JH5MAoGCCqG -SM49BAMDMIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE -CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIg -RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMwMQYDVQQDEypFbnRy -dXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBFQzEwHhcNMTIxMjE4MTUyNTM2 -WhcNMzcxMjE4MTU1NTM2WjCBvzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu -Yy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsT -MChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEG -A1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMHYwEAYH -KoZIzj0CAQYFK4EEACIDYgAEhBPJ0LptQXvibNDrVV9mAhok9FuJaUfjuMJ98fICxZ+g9lvV -iwYZhk9TEG0HJCehoPjVRxlhTH3KkyfqdAzvb5YJ/mPscF02rWd3rsmdfFVEOqJjUR/142LU -qUcHPswgo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -t2PnGt2N6QimVYOk4GpQQWURQkkwCgYIKoZIzj0EAwMDZwAwZAIwYXnY5UJH3xyuU5kXtm8c -feG/EZTRA4h15I2JpIp3Rt5tYe8C9fu138z+Tv/+qeanAjBbmdeFNwa1ewj96yeLSpT54fqn -jiYI6HySaG1z2G8mrCECuJm3JkFbJWCu0Ega7gYAAAACABpvaXN0ZXdpc2VrZXlnbG9iYWxy -b290Z2JjYQAAAXwQWa1IAAVYLjUwOQAAA7kwggO1MIICnaADAgECAhB2sSBSdPCFh0az+CMa -9sLAMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIw -IAYDVQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNl -S2V5IEdsb2JhbCBSb290IEdCIENBMB4XDTE0MTIwMTE1MDAzMloXDTM5MTIwMTE1MTAzMVow -bTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5k -YXRpb24gRW5kb3JzZWQxKDAmBgNVBAMTH09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0Ig -Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYF7ccSiQq1pexyuIe+30475j1 -sjmYTie4EV170iWUiIIVJmobMbuoWyEhK9gPTp9a8bFa5HnWMiMr4VPMmUVce0+tvL+HSgtL -l1qo9kjsfXsNzSEG354V/UGKSLcg9KF6G1fUXVD/umfYI5kfyD/j3v9vW3exa264yWT34cpB -Rg4pcdC5I/zJgV9O92/fv4Stc2S7t0KOafbUdh1+nae4V4pRZ3LX1Ki4lVRAcwP26vTr/ihC -dz+dIxuytj2AFAdMLk/31QoWDb1mQzd+I0N5w0CG9Uwp2o6arQ2lBIeIHoXj6VPVm8iLA2N4 -6+AZSm67L2szZFiTrWm/jxvvgkjHAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBQ1D8g2Y17io+z5O2YVzlFS45GaPTAQBgkrBgEEAYI3FQEEAwIB -ADANBgkqhkiG9w0BAQsFAAOCAQEAQEz7h7KZgZB+ncWwsCbNiHsrMo1uuCFxWJd9rjcUrz7n -95riffZxmJkEqkN0eKPjSWE+c4xNlOD5ccS2Fg5TeB/WoocvAjmBKTyvFZghMP4okACM0eHL -+l7I/fgQRjuieEKRF3RVCt5QZ01m0af//dnAtaijis5m9Q9DzacrV3tjRmqqLlLY9O3hba0p -kHhIuuEjqqOJ7LWrlsC0S6Idl5568m5Acd9o8WVNznwF31NlqaXwsZcEcBVGA5jU0r9UtKBY -fVJv2lYmYtTY24kxbxzwIsLTYhw1zUxpFVQakJje6x5fynfHy449Q2mcmljQJDvfG0CWfjWt -gcdOcbqIEwAAAAIAJW5hdmVyZ2xvYmFscm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8 -EFmtSAAFWC41MDkAAAWmMIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJ -KoZIhvcNAQEMBQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBM -QVRGT1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkxCzAJBgNVBAYT -AktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwp -TkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVAiQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gv -QnXp2XskWjFlqxcX0TM62RHcQDaH38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtS -AuXaMl3Dxeb57hHHi8lEHoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/ -6imBEtRTkZazkVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABI -qKYPszuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8ObtoqvC8M -C3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHfnZ3zVHbOUzoB -ppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaGYQ5fG8Ir4ozVu53BA0K6 -lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo0es+nPxdGoMuK8u180SdOqcXYZai -cdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3aCJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv -8ejyYhbLgGvtPe31HzClrkvJE+2KAQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0Iw -QDAdBgNVHQ4EFgQU0p+I36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7g -yKoNqo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatjcu3c -vuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm+LUx5vR1yblT -mXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCLhr0N8F5OSza7OyAfikJW -4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQelHsIJchxzIdFV4XTnyliIoNRlwAY -l3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzy -qkn+Zvjp2DXrDige7kgvOtB5CTh8piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmW -Ncf7I4GOODm4RStDeKLRLBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0 -kNwUXTC/t+sX5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF -4+KOdh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul9XXe -ifdyAAAAAgAJZ3Rzcm9vdHI0AAABfBBZrUgABVguNTA5AAACDjCCAgowggGRoAMCAQICEG5H -qciLlLbouzsq2KKywZkwCgYIKoZIzj0EAwMwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MB4XDTE2MDYy -MjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2ds -ZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MHYwEAYHKoZIzj0C -AQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8FhzubeRr1r1WEYNa5A3XP3iZEwWus8 -7oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019eWIZlD6GEZQbR3IvJx3PIjGov5cSr0R2K -o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgEzW63T/ -STaj1dj8tT7FavCUHYwwCgYIKoZIzj0EAwMDZwAwZAIwalBSdAjEcNyeUHQh6I16IcNPlm4V -0SI1YS36CDfuGW2t27LMfQc09WAZLLU02W8gAjADcbG6o2ALhu2aCGqVaJ/is+GTZHxek6bf -eS2NheOUzyNdcczysE3W/pnIlKl1ouMAAAACAAlndHNyb290cjMAAAF8EFmtSAAFWC41MDkA -AAIQMIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQswCQYD -VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxML -R1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQG -EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RT -IFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uF -xh1MJ7x/JlFyb+Kf1qPKzEUURout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSW -RQmx1WyRRK2EE46ajA2ADDL24CejQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA -gFukfCPAlaUs3L6JbyO5o91lAFJekazInXJ0glMLfalAvWhgxeG4VDvBNhcl2MG9AjEAnjWS -dIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOaKaqW04MjyaR7YbPMAuhdAAAAAgAUZGln -aWNlcnRnbG9iYWxyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJDMIICPzCCAcWgAwIBAgIQBVVW -vPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2Vy -dCBHbG9iYWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJ -BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy -dC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF -K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6O -YwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiu -NkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vm -iI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9O -jIgrqJqpisXRAL34VOKa5Vt8sycXAAAAAgAJZ3Rzcm9vdHIyAAABfBBZrUgABVguNTA5AAAF -XjCCBVowggNCoAMCAQICEG5HqcZas+cgxTCaP2hS8m8wDQYJKoZIhvcNAQEMBQAwRzELMAkG -A1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMT -C0dUUyBSb290IFIyMB4XDTE2MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UE -BhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dU -UyBSb290IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzt79pvvs7BQ0PAcG -WmxZ9xk13ffBnVWq0807pJNy7wr6bZ328IWAW6FIUp85xbfuKKzvy3ZoFLnfrQFsmR/EIh2f -/nJ34Cxbr+QEv09yoBo0mOg5aOyVJXt2oeZpuYUZvYmM/q3tNupzvP+D4st9wdLOSrONBZ6L -SZPfwVvQbl7wLjAugvz6vLQXCkjliJvFm2vesMq0A/Da9JC4ZWT3XEyt6H5mXpnXuMI+yNAT -na3u5EV7iVX3ih9iUoQSs8JAl+OKH0eRpnRa0vixYygQuLMJuFZ3QKImmHnG/t8l7j7loH/U -YQ9RSzw/jNrhcHTYwmih+cEM6aHif7tVPHYG7mpOzJKIME2avU8LSJqEtZij1ftzwVdh3ShW -dROuh47nDFEJEHWITLyN+Xs81CJIHyrc62u7RLHLM3EyRq+tSvGM6HQ6rOcaInOA0jD3JULH -Ijs7Eq2WLsbDdgeqILc1SVfpkknodhZyMWcrln6Ko8eUViK/akt+ASGyIzLf5JpEbVlbXfUA -oBybxniXjZD/m8iqtK8RUTle2ftnrdVbEZ0ymhu91bpbpcnLJWlTVSdc4Mo2y4hh+x630Mvu -FvvTpkzekqXU4t/1BlTeLp1LtJMwqoHO3RrcUXMNT3Dp5bYWIRl5suaJC3VkytWrvAnBGKH/ -1FShhTz9FCQDsofTpLcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFLv/yo4jn0+ZytviaKalFScXHtkOMA0GCSqGSIb3DQEBDAUAA4ICAQC2 -afCmd/6e7guBreHAqcf5NR1AgqvmBLTfy/cdD4PwfhNNjYzu4zMiwzn8QN9uQUtCU74WiPHS -OF7EaJkcmFKTjOdo7Rtqc3oFQE1/ZTvWWPHOg0dg4/+XqZxgdxhVtX4Ik8/Q9jxnAxVhCfmB -efXsU6SfyY8Bi3PEd3bcg6L1DEkaqHbekptk+LMsxSfTB8AIgKSYkuMBlgKqAu6PO8XRbQoz -MHN4uU9UFr8LB6GkXObLyVyEjw/gFXcsfiZ+2sRL26cWdwewzXXockLWlYSdhoPy5JDNCUfU -iwNw2lrGA0L07Tei8BtQVEsO2ITeGSiZgUeuCRs/SNHDb+KwYBf17iMCpdoAW22Qq+6i6Rs7 -6cdEJ0WOa5/1pIS8d/lrl6w+UUWiEabMhe4KaPI+UDh6JGIeFyA3bWpNtwmbyfykWPW2+5xO -GLuVAuehrZsH7jZrJNI5hsGTg1DSgUaoX2JXLLtsZIgIbu8TVF/dLcRnY9PPiTe/nSD0+3qD -m6AegQBQwuQMIllSEO1DVocA+BRSpx2Lk4yiTUZ/J8ZxmyTe5NqGiw1+ayDBwJ7hZdhqo6bo -hYs6BwgcuvWPVZoYdX7l7IFm0SFzoTVEC4A9W5xebyoXltGDI4hmbeaG4nAyL1Ii58jnf8Qs -YF0vw6+eRQXDhAK3/SwIUk+C3aPw1IYJAgAAAAIAEnN3aXNzc2lnbmdvbGRjYS1nMgAAAXwQ -Wa1IAAVYLjUwOQAABb4wggW6MIIDoqADAgECAgkAu0AcQ/VeT7AwDQYJKoZIhvcNAQEFBQAw -RTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEfMB0GA1UEAxMWU3dpc3NT -aWduIEdvbGQgQ0EgLSBHMjAeFw0wNjEwMjUwODMwMzVaFw0zNjEwMjUwODMwMzVaMEUxCzAJ -BgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBH -b2xkIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv5O5+iyQOEm6p -UC0WRDuSklzKuF2EkkITKrxlV4JAPlckzVCLJSq3b/zvotDAHwIkShOWjyMT5ihYAKNHxwan -hCMru72WK39VzIvBVx8OYmUP3T1WinParn5tuoEcfkKMIDXZQ02E+oTbUizzDid3C2u/ES9y -eJ8u2D7mGDdaKnL52mKQkpXKH5zpszwry/MBE79az8G1CmC93bWZZFO4oJazb+Imd5GM4GIQ -Ap80D6TVkjNR3r6NuoR6YDxq258r7N7eAT9uTeVQhsu0r+1EQMXKWoza0it8qO6+puUKqg6l -3wVSt1XHIl0yapeXYxPbydt5NnuFOkrFUon5JOedd6mC/1UcpXFpK9ECJPKzJtRr2gRV5cEK -x20wN5Aq5J4UM14WF1XFW7XLNImS8Z0mj6EH1MayeFDbDAwLfAuMQde56d2MiPejTbIyzNgX -2s23zmad1P1e/72XPil1536nYlivJTSlQcc9vA1QygMDDwhaH5VzeGK/r3IUaQ6l5QMOeI4m -KELwBwtiIBBnOUb6qQPMBDh6Zu8gg7WMSlaOkQD8jlyC3oigw+Jobn2N7zzdZfRdrFHvJICu -qlaXb/mtfdphP5h3PKWRthyMJtplogltweJU47nKTEyAj3d7YJoe37bySB4Ouk5UbZjg4aIa -ondQz8RjkuxHGZ3r5mvOwQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBRbJXuWpGVRfrg588B4Zl7oOufw7jAfBgNVHSMEGDAWgBRbJXuW -pGVRfrg588B4Zl7oOufw7jBGBgNVHSAEPzA9MDsGCWCFdAFZAQIBATAuMCwGCCsGAQUFBwIB -FiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tLzANBgkqhkiG9w0BAQUFAAOCAgEA -J7rjlHzxrsDeF+bl2NX1VLCD9LvNXgV7T591Zq886FZ+/HJ4OAPZK2IbALn46WDNzM5RisdQ -MW7hSn4YL2lZtj1kgSvjg4TmIoeOfeDuAplhuB70uCuIEhaEwjGTOJYxprk7Uz/DJJNWW2mS -7MXBuzgA4+wXqbjcx3wBg58yR7pSIjQdMnoJVqd8JTapPUvawIJvCrsSyIdLJxH5Hi3Hkz+e -218ma1LZLorxFMZEjRWpt7+93qYa7q4t+0h3F/677K8Y9SpR8DmEl5VsbhvDK8R0YHklsAon -399e0jnPRX1CS9+zLB7Fxl3KVTqgnGmaj9rvsrA8n4dsEitlcBVSMRokz28xI1AfjE+PI8N0 -QWMcVagU3T7gUVDP8RswVg6SsIKF2IPLImS8Lbgl1VSiuAbqrZKkJKDBhrVKE2pHzy4LVpVU -y86a22q0prLbQQiGJ3f3aqBCbAs4ztd1UDKSwt8rMCJI0NVBOCVdpOldn8aUddBF/TCXQ4+Q -qwrHhnNgSmkt3qV41wbaap5LPnc6IBMiAdC/aJ5jYGs1TQttuqE9wJPgfyOzVa1yJU5G+dIW -77BkwQGe6cqgapgOz9hg8i9JuORC4Tg1FvTIbk/3gVbouqO+I6+u/W8D4AI7MHb6G21BzwGx -6bjJZvTbJvM6pHTySSRbybDQV8H6Pnrhl8kAAAACABVjb21vZG9hYWFzZXJ2aWNlc3Jvb3QA -AAF8EFmtSAAFWC41MDkAAAQ2MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQsw -CQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxm -b3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj -YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UE -BhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa -MBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBT -ZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5AnfRu4ep2hxxNRUSO -vkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70 -VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5 -YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4 -qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm -ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W -8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f -BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2 -aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNl -cnZpY2VzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMym -trwUSWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHC -v8S5dIa2LX1rzNLzRt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8 -tqtlbgT2G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi -l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIs -gtRqAEFQ8TmDn5XpNpaYbgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGcyAAABfBBZrUgABVgu -NTA5AAADkjCCA44wggJ2oAMCAQICEAM68eanEamguyhksR0J+uUwDQYJKoZIhvcNAQELBQAw -YTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp -Z2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3QgRzIwHhcNMTMwODAx -MTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl -cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBH -bG9iYWwgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALs3zTTce2vJ -smiQrUp1/0a6IQoIjfUZVMn7iNvzrvI6iZE8euarBhprz6wt6F4JJES6Ypp+1qOofuBUdSAF -rFC3nGMabDDc2h8Zsdce3v3X4MuUgzeu7B9DTt17LNK9LqUv5Km4rTrUmaS2JembawBgkmD/ -TyFJGPdnkKthBpyP8rrptOmSMmu181foXRvNjB2rlQSVSfM1LZbjSW3dd+P7SUu0rFUHqY+V -s7Qju0xtRfD2qbKVMLT9TFWMJ0pXFHyCnc1zktMWSgYMjFDRjx4Jvheh5iHK/YPlELyDpQrE -Zyj2cxQUPUZ2w4cUiSE0Ta8PRQymSaG6u5zFsTODKYUCAwEAAaNCMEAwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFE4iVCAYlebjbuYP+vq5Eu0GF485MA0G -CSqGSIb3DQEBCwUAA4IBAQBgZyiUbw5IY+sx3epnGNWJfTzFi0p/6b7bKxffsF9zdyoyEzmB -Z0KEI/JFZzXsiL/4j7BhDDSkriBMhMbb+DXhdtnfpkK7x0QIhn82dCRa2mwNFFk1vfJJ3bYf -ybMNRyo9mS+7XLu11CDhmV9TRhXbaJvw8zDVPjHijYSe44ra2pY+NROlX/D5cFBwR0ERVxlO -wI+uBsSVExcvGyWfdfKxjpmhbxOxQXH+iCrITxAgVdfzFEXl4ET06oeVMpMO/lNG+iyd/4si -uUvZCUWk3qS4mljdG31Sn45ZQ4iBpJ4m1W+t3Q3GN33tA5Ib5Xdfdu48jcRdVlui2WZuszU3 -5TK2AAAAAgAJZ3Rzcm9vdHIxAAABfBBZrUgABVguNTA5AAAFXjCCBVowggNCoAMCAQICEG5H -qcVLRwwN7DPQibkc9OEwDQYJKoZIhvcNAQEMBQAwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT -GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMB4XDTE2 -MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63ladAPKH9gvl9MgaCcfb2 -jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwSiV6nqlKr+CMny6SxnGPb15l+8Ape -62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351kKSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6 -z1kZ1q+PsAewnjHxgsHA3y6mbWwZDrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogr -FZYJsuB6jC511pzrp1Zkj5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8Upmv -MrUpsyUqtEj5cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB -0esWCruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499iYH6 -TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35EiEua++tgy/BBj -FFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbapsZWwpbkNFhHax2xIPEDg -fg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b9f6BQdgAmD06yK56mDcYBZUCAwEA -AaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOSvKyZx -GitIJ4UvUmYs7/CJE3E+MA0GCSqGSIb3DQEBDAUAA4ICAQA4lgruPbSWHl/vnZwLM58r4Mr9 -0o4KH0F0pXyqhNTl8h7mN1IynAvRYR2/KMG2RCk1dXeYsnzZvXSsimjjqTEJKQFgc+NHfFOo -kEon70vXn5PngjbOmmgMgufP1BAWb18OmVz2H3F97+97L37qNtaXcAsV7tdcVmozpeNJOAy4 -ffuNhaSxWV70auHdofZkRK7mUYMhZsYRPvPOR+6cKB8l2v+sZpXdNQ9c7yAsYv2RuqnM/Fqc -k4GDKZdKfFpytDnQt3fLef1pOpI37W44ZUZ+6WC9eYiXXzgS9O6vW4LIhtXhmW2MBPJ2ukn2 -bultHl+g7yeCdkD4ptNYXA8sQtpCxnuINMfB2EWbwT7FYR3ZY1BJ9jSFauAYxW5Hq0FCKZv2 -YA3SMdNjmCOTWgCBSLTvzYrNyc+Z7tmeqjbhaEtxSRQ2KDo9Hc6ajyXmgHFhK7V7zPklFoHh -MV+ho34WpJwWapcYvXZypQueHTbmL6EvvnCRD6jm2vjEkkBsJX57swncshetgETwaKWPlHX/ -dFroqAJ8DAniqUsLoIULYrnvoTGS++/2UQSJbOipdKG7F7O1/UkPfDzsgxggQ07Vk7q0NLEf -FjYfDOZkORZM3OD+HcipYj1A6srFNAK0romIMzXcLBNz2Cfx0HLudTsi3phoZlvxxmNHVRy6 -pQhRdaZIJQAAAAIAC2RzdHJvb3RjYXgzAAABfBBZrUgABVguNTA5AAADTjCCA0owggIyoAMC -AQICEESvsIDWoye6iTA5hi74QGswDQYJKoZIhvcNAQEFBQAwPzEkMCIGA1UEChMbRGlnaXRh -bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0wMDA5 -MzAyMTEyMTlaFw0yMTA5MzAxNDAxMTVaMD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJl -IFRydXN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDfr+mXUAiDV7TMYmX2kILsx9MsazDKW+zZw33HQMEYFIvg6DN2SSrj -PyFJk6xODq8+SMtl7vzTIQ9l0irZMo+M5fd3sBJ7tZXAiaOpuu1zLnoMBjKDon6KFDDNEaDh -Kji5eQox/VC9gGXft1Fjg8jiiGHqS2GB7FJruaLiSxoon0ijngzaCY4+Fy4e3SDfW8Yqiqsu -vXCtxQsaJZB0csV7aqs01jCJ/+VoE3tUC8jWruxanJIePWSzjMbfv8lBcOwWctUm7DhVOUPQ -/P0YXEDxl+vVmpuNHbraJbnG2N/BFQI6q9pu8T4u9VwInDzWg2nkEJsZKrYpV+PlPZuf8AJd -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDANBgkqhkiG9w0BAQUFAAOCAQEAoxosmxcAXKke7ihmNzq/ -g8c/S8MJoJUgXePZWUTSPg0+vYpLoHQfzhCCnHQaHX6YGt3LE0uzIETkkenM/H2l22rl/ub9 -4E7dtwA6tXBJr/Ll6wLx0QKLGcuUOl5IxBgeWBlfHgJa8Azxsa2p3FmGi27pkfWGyvq5ZjOq -WVvO4qcWc0fLK8yZsDdIz+NWS/XPDwxyMofG8ES7U3JtQ/UmSJpSZ7dYq/5ndnF42w2iVhQT -OSQxhaKoAlowR+HdUAe8AgmQAOtkY2CbFryIyRLm0n2Ri/k9Mo1ltOl8sVd26sW2KDm/FWUc -yPZ3lmoKjXcL2JELBI4H2ym2Cu6dgjU1EAAAAAIACGNlcnRpZ25hAAABfBBZrUgABVguNTA5 -AAADrDCCA6gwggKQoAMCAQICCQD+3OMBD8lI/zANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQG -EwJGUjESMBAGA1UECgwJRGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYTAeFw0wNzA2Mjkx -NTEzMDVaFw0yNzA2MjkxNTEzMDVaMDQxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90 -aXMxETAPBgNVBAMMCENlcnRpZ25hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -yGjxydbWszR1JoIe7LS+6lzhJu0RR2HhonwWeEAh5GCeWshj4cSxlpL/GG1pI+ErYvfd4jYv -kQe5SM8O7Hm2LOc0S3AIJaM8hxsZ8oEHDziQGdMR/oa08tFeHh6WzYBszjsxk7byoNCplRJ9 -pZrMa8iEVoozqeciFVMW8MwX7Fdf6aIKmAne41+cb9xI44ULFVqmup+sSOMJsvf0Mt5eNL4c -eF1CW84OIo9NkNd9MhizCyxqv44/FBGJIA53FLU9lAiH9yUe1bJgAOxvKiglbio+GGMXJT8+ -RCAW9ibIJa4FSrTnYyzzjBZTflz7ERoIwUZinyK48cKNadz6OlgG3wIDAQABo4G8MIG5MA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBrt/kE5kLQkWb4B8lLVRfZaOdwRMGQGA1UdIwRd -MFuAFBrt/kE5kLQkWb4B8lLVRfZaOdwRoTikNjA0MQswCQYDVQQGEwJGUjESMBAGA1UECgwJ -RGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYYIJAP7c4wEPyUj/MA4GA1UdDwEB/wQEAwIB -BjARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAIUDHpJx9kKv4aNhnuvz -wA/ypdTalebWvmg2PX5uH0yK79EPIW1epVJjzhL47yrab+s3/hMCx8s7PiJr2mEuf9RyPd0w -4R5MQBmMD9ec0YMwe5hZ3H3GuQwpTKEzoutnOmWE05bi7XZFcI+1K975I9ZJbjwUtcafNR5Q -0MGPanBEAmLLrh1oQaeqV+hTqgfSBvbVFAYLkQN1LGxytWGVmg2LuQ3n9d9Uzd7m2NYJCJdj -5cEusLdEJsAmwK9VMJ471TYqGQT0XB7/zyy3/9D9h0AR1REju0jAIamkKC39FfiwTiv0MFsh -/BGRNL5B73udl3X/l5XAllgv6rtG17vk2S4AAAACAB1kaWdpY2VydGhpZ2hhc3N1cmFuY2Vl -dnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA8kwggPFMIICraADAgECAhACrFwmagtAm48LefKu -RiV3MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ -bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2gg -QXNzdXJhbmNlIEVWIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENB -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJ -tnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGR -fmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42z -xyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0 -BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGh -JR6HXRpQCyASzEG7bgtROLhLywIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUsT7DaQP4v0cB1JgmGggC72NkK8MwHwYDVR0jBBgwFoAUsT7D -aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQEFBQADggEBABwaBpfc15yfPIhmBghXIdsh -R/gqZ6q/GDJ2QBBXwYrzetkRZY41+p78RbWe2UwxS7iR6EMsjrN4ztvjU3lx1uUhlAHaVYea -JGT2imbM3pw3zag0sWmbI8ieeCIrcEPjVUcxYRnvWMWFL04w9qAxFiPI5+JlFjPLvxoboD34 -yl6LMYtgCIktDAZcUrfE+QqY0RVfnxK+fDZjOL1EpH/kJisKxJdpDemM4sAQV7jIdhKRVfJI -adi8KgJbD0TUIDHb9LpwJl2QYJ68SxcJL7TLHkNoyQcnwdJc9+ohuWgSnDycv578gFybY83s -R6olJ2egN/MAgn1U16n46S4To3foH0oAAAACACJ1c2VydHJ1c3Ryc2FjZXJ0aWZpY2F0aW9u -YXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAF4jCCBd4wggPGoAMCAQICEAH9bTD8o8pRqBu8 -ZA41Ay0wDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVy -c2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3 -b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X -DTEwMDIwMTAwMDAwMFoXDTM4MDExODIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -EwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJU -UlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw12 -7c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC -tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYR -Z0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9X -Wrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND -8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND -5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjN -hLixP6Q5D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ -WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMa -TLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX -HAc/DVL17e8vgg8CAwEAAaNCMEAwHQYDVR0OBBYEFFN5v1qqK0rPVIDh2JvAnfKyA2bLMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQBc1HwN -z/cBfUGZZQxzxVKfy/jPmQZ/G9pDFZ+eAlVXlhTxUjwnh5Qo7R86ATeidvxTUMCEm8ZrTrqM -IU+ijlVikfNpFdi8iOPEqgv976jpS1UqBiBtVXgpGe5fMFxLJBFV/ySabl4qK+4LTZ9/9wE4 -lBSVQwcJ+2Cp7hyrEoygml6nmGpZbYs/CPvI0UWvGBVkkBIPcyguxeIkTvxY7PD0Rf4is+sv -jtLZRWEFwZdvqHZyj4uMNq+/DQXOcY3mpm8fbKZxYsXY0INyDPFnEYkMnBNMcjTfvNVx36px -3eG5bIw8El1l2r1XErZDa//l3k1mEVHPma7sF7bocZGM3kn+3TVxohUnlBzPYeMmu2+jZyUh -XebdHQsuaBs7gq/sg2eF1JhRdLG5mYCJ/394GVx5SmAukkCuTDcqLMnHYsgOXfc2W8rgJSUB -tN0aB5x3AD/Q3NXsPdT6uz/MhdZvf6kt37kC9/WXmrU12sNnsIdKqSieI47/XCdr4bBP8wfu -AC7UWYfLUkGV6vRH1+5kQVV8jVkCld1incK57loodISlm7eQxwwH3/WJNnQy1ijBsLAL4JxM -wxzW/ONptUdGgS+igqvTY0RwxI3/LTO6rY97tXCIrj4Zz0Ao2PzIkLtdmSL1UuZYxR+IMUPu -iB3Xxo48Q2odpxjefT0W8WL5ypCo/QAAAAIADmNlcnRzaWducm9vdGNhAAABfBBZrUgABVgu -NTA5AAADPDCCAzgwggIgoAMCAQICBiAGBRZwAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQG -EwJSTzERMA8GA1UEChMIY2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwHhcN -MDYwNzA0MTcyMDA0WhcNMzEwNzA0MTcyMDA0WjA7MQswCQYDVQQGEwJSTzERMA8GA1UEChMI -Y2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC3M7l+yCVKjrXbtCgbqleQ6NEi02S605Po1KyGYUBqYFdoVIRNvGpU -AgX/35uaKq5dB49Kwyh/7/sr+nnxx63wEFMkkItmyaiIq69aowDpvrpG7ltzeywXgoFeYiyh -AmWzvcUrAH7E/AMzVw3t4vrOXUXWOM01trLB0JyBSqrksgFcHY9fmcSxrduIIeuQCIKA8zCj -Q+aQgq5VKEntW9epEDgO/o9MW5tG6kH1sAh0w9CIM7Z813Tf3ITRQw51OaElQCjqeMsOLC45 -nYyLbhYcLyaCEOLjZZQKBMBe911b+BDi0Lp6S/veNwAAGlso49Kccz4yh5ihyVEv196sM7NP -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTg -jJvbJUmz8XyG1rJChwvQa6DZ5DANBgkqhkiG9w0BAQUFAAOCAQEAPtIciS41/Ph13eZ/ZYj0 -ckzJLNcyTvPdGXlHvY47W5MPUEkkE2sUBnLvCdOhoeNAhMnnGDJ0PEhuD59L1Pce05OGZFSX -Y3JQ1VXP+iCTAqKbwyOTThZVdqBweW3NIR/PLy28GeOIMfhZGoEJyJemdMdgxFvMV46ydf0b -AgnbWW9yk2n3MUHWiDi/h7K9Fnn5quS+iCXdYScjHLUxBwQ2tBqQvaB0cVCJbbwU4w+GrvGr -PsegCcyjSNHg22TnkrXPr3JDcIv5w4Q8E6p+kptXU5P6cMKRDjH5m2dd6ZY4Xl+zc06IFWfe -nnYQYiC+VWmVQwA5TfbusFpOSURUWF9CgwAAAAIADWFtYXpvbnJvb3RjYTQAAAF8EFmtSAAF -WC41MDkAAAH2MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQD -AzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9v -dCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMx -DzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49 -AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9 -pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvou -XKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzpl -bszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0r -z2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRM -StuW1KyLa2tJElMzrdfkviT8tQp21KW8EAAAAAIAEGNlcnRzaWducm9vdGNhZzIAAAF8EFmt -SAAFWC41MDkAAAVLMIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEEx -CzAJBgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g -Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJBgNVBAYT -AlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04gUk9PVCBDQSBH -MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDFdRmRfUR0dIf+DjuW3NgBFszu -Y5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0IwvlDqtg+piNguLWkh59E3GE59kdUWX2tb -AMI5Qw02hVK5U2UPHULlj88F0+7cDBrZuIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwo -Ue+StCmrqzWaTOTECMYmzPhpn+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV -07YRaXseVO6MGiKscpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2Ypx -JM02PbyWxPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P -rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiFDsGJ6x9n -xUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fxDTvf95xhszWYijqy -7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgyLcsUDFDYg2WD7rlcz8sFWkz6 -GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6CeWRgKRM+o/1Pcmqr4tTluCRVLERLiohE -nMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud -DgQWBBSCIS1mxteg4BXrzkwJd8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILV -AzOBywaK8SJJ6ejqkX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa -8gWmr4UCb6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl -qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0OJD7uNGz -cgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+cNywRtYK3qq4kNFty -DGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXkltd0ZGtxTgI8qoXzIKNDOXZb -bFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIOpwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q -1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdY -aXHmgwo38oZJar55CJD2AhZkPuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxE -y9/eCG/Oo2Sr05WE1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/N -tBde17MXQRBdJ3NghVdJIgcAAAACAA1hbWF6b25yb290Y2EzAAABfBBZrUgABVguNTA5AAAB -ujCCAbYwggFboAMCAQICEwZsn9V0lzZmPzsLmtnonnYD8kowCgYIKoZIzj0EAwIwOTELMAkG -A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMzAe -Fw0xNTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQK -EwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDMwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAQpl6fGQX/ADZvoARtWxvJSpbotshLo0i7X+snF2KptH3OBOzuYazl8M6XFToaO -gBdoYkVXfURYHbM35WcI62beo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB -hjAdBgNVHQ4EFgQUq7bb1waeN6wwhgeRcMecxBmxeMAwCgYIKoZIzj0EAwIDSQAwRgIhAOCF -kqMXt435Kwalk6wamGhhcvrhodD7HHhgpkOZxbjEAiEAnALv8ZScs5b568Yq+LYs/jqQFBbX -jGMkSBzfMH3VaDsAAAACAA1hbWF6b25yb290Y2EyAAABfBBZrUgABVguNTA5AAAFRTCCBUEw -ggMpoAMCAQICEwZsn9KWNYafCg/lhnj4Wya7ijcwDQYJKoZIhvcNAQEMBQAwOTELMAkGA1UE -BhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMjAeFw0x -NTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZB -bWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCtlp8tnEpMSoF5UZnsistrYFETvE1tBvywCI3dGRBqxyYMNdjAbyCE6ZSx -m4UDw1vbSujI+JB22VtP40zoBjZNzJqsPQyQK5LUBhlgrDdEeYWBgq1aN+ANzJ2mTFJ26kOd -twTRUPZV4NXSpkmF6Tfpyn6uXJVNSJo/riBabYiV2TS4UhpDkLC/bAW5tni36tDkOjwSU2L/ -SvJ7vjUFqRI04/NkdGIsPQBJWij+MkS7h91lJwJxO9pK9x/azfchVZBPD+yuguGfa9lF07vw -X4ftPCw5hto/3uxyVet5o63b3XywuhzO/N5PNXbPD/h4H2o2UUYnYVvpns/wolV9fCWKby+0 -xc+ELiv9DVEQbPtfG7wbfsWuO5gBMZL/C1f0mrK5V+mr7w120fDu9M6Gp+Bu6bRpod9p9jPG -aS6XE56lh7BXEIE3yVOzu3/2ktGc0Bj0km7ag0+mY5lMpfte7yFkeiBfbGSFFcs36WIMCyoW -3AEuMto+S/WeOvYXQJTvnpEIhvq+Y6haM+zLdEOV+WxpUjbHKW/8VQNcH/ufvUfr50lHlQtO -iSIJSeD1YR7xvy6Kcm6AWf9XOvl1MqNOX+ztKGLZTXPyzIEXYO3N69zbp8rFfgK98lQIVP20 -LQksF1RKmNFU4VFnCNLtbn5vP9ItgVkpZsuQOZURHnQn/t3rrwIDAQABo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUsAzwTDD0BVgCSP0z5VKvS4Tj -ZlIwDQYJKoZIhvcNAQEMBQADggIBAKqogI8OeKPgotTN5vWYejvqAAOwlw6TvFqo9iyMcoep -sfx/c/1jcXilh1nPMOENELITWm2C9WrmgJ+gBQto5Edrx2rftv13MnLlGPoJ9KCTLF3SjHWF -dmWQDAN5tzEjY614gwmGaITK//nPJpqSeefNS8XnYacXy/OpEpOTa6foL1OSxGBYsMwCURhb -hY1iWWO2rbTemvsm9wAnwF1VN3SZyVB/41kuROMsJe7sTDJ3tJ8a6UtdIMXa/RyHFsZD6NS7 -JppFcF6pCzdT4kZ7J/3gRvKJt8xCtssoJm7Zpck6yEETYPdQjBWusm0aFRpXeOaSKtllkII/ -bAKvrhI6J5Y2BNcdooBjqZvx5bq0fBSwTsmxH3RfOPZR6pv6LKIR1KktJxpFsa+yTnENwFhG -1mkGy1PLs/5rQc1Bfn1MD3xyeXpZzV5KDqybqZhzeXy09My5uAcMsnRcuMdviKGQp/Sq+b9n -OvQaFWIet5++PbEpr2ehEvJYEBlTAzAbuBqJ9py9lwOOownzHYsh8bTf5BzRn2UCBupc1hOz -hO+ipVyMdymnaMBrrkDSqLTqzfCNSzicGZobKFS4iZDvynWBPh7yZCTHGK9O/0eeB/Y1ZaTT -Clb/9RdkbO+oIiVJk7bfABfaWH5d7sUbsNHRXyEQx/nzugIKJwfF8dbH0+D7CWBsAAAAAgAU -dHJ1c3Rjb3Jyb290Y2VydGNhLTIAAAF8EFmtSAAFWC41MDkAAAYzMIIGLzCCBBegAwIBAgII -JaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5h -bWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMu -IGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0G -A1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzEx -NzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h -bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQL -DB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJv -b3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQ -dsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5W -oD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2 -YVpHI7TYabS3OtB0PAx1oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbI -XvRR/u8OYzo7cbrPb1nKDOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFap -RBF37120Hapeaz6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTC -HWKF3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7 -+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4 -Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8bo -Xg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh8N0JqSDIvgmk0H5Ew7IwSjiqqewY -mgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5Yww -YrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWy -OrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89Ni -qpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL/V9l -FDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3S6xZ -hBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw -PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRiv -h7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JML -iI+h2IYURpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8 -hAs/hCBcNANExdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQgu -LvqcAFLTxWYp5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/ -D1Fu1uwJAAAAAgANYW1hem9ucm9vdGNhMQAAAXwQWa1IAAVYLjUwOQAAA0UwggNBMIICKaAD -AgECAhMGbJ/Pmb+MCjni8HiKQ+aWNlvKMA0GCSqGSIb3DQEBCwUAMDkxCzAJBgNVBAYTAlVT -MQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDEwHhcNMTUwNTI2 -MDAwMDAwWhcNMzgwMTE3MDAwMDAwWjA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9u -MRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAsniAccp41eNxr0eAUHR9btjXiHb0mWj3WCFg+XSEAS+sAi2G06BDek6ypNA2ugG+ -jdtIyAcXNkz07ogjxz7rN/W1GfhJaLDe17l2OB1hnqT+gjal5UpW5EXh+f20Fvp02pybNTkv -+rAgUAZsetCAsqb5r+xHGY9QOAfcooc5WPi61an5SGcwlu6UeF5viaNRwDCGZqFFZrpU66PD -kflI3P/R6DAtfS10cDXXiCT3nsRZbrtzhxfyMkYouEP6tx2qyrTynyQOLUv3cVxeaf/qlQLL -OIquUDhv2/stYhvFxx5U4XfgZ8gPnIcj1j9AIH8ggMSATD47JCaOBK5smsiqDQIDAQABo0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUhBjMhTTsvAyU -lC4IWZzHshBOCggwDQYJKoZIhvcNAQELBQADggEBAJjyN1pBkKEaxXZRKCA2Iw6u5ii7qviU -rkikMH8b/CSNS7TIoZf2tvF6cMhTk8wIKOOYJc8jpPneIdN8hQmtTpp1OsILaol4dkRHGGVs -jUGOO3+ay/S1p1DXBSw36ANLrelhoAJu9fLwxbLtW7fc+pRcd54TpX9SrZXy+JM73otcW8pa -UltgrxT3S++j+59AlW0xVPxC08dGHyOt2Q9IcJrZdXhx0XJDNHVuV1nCAlwmYCnPIxkWjohD -pdTkywj7IxFD6EMpcmKhqV1eCNSQrrjYzhTC0FXyhvbEk0N3ZmHAuehB15d4YANuSnKupdF9 -uhCehmwbirlZM/jrxJC+8bkAAAACABR0cnVzdGNvcnJvb3RjZXJ0Y2EtMQAAAXwQWa1IAAVY -LjUwOQAABDQwggQwMIIDGKADAgECAgkA2pvscfMDsBkwDQYJKoZIhvcNAQELBQAwgaQxCzAJ -BgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYD -VQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENl -cnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMTAe -Fw0xNjAyMDQxMjMyMTZaFw0yOTEyMzExNzIzMTZaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UE -CAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lz -dGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC/jreV4sImEmszGcdAWAqrWaqNAKP8gMdQe47UICa6MhLYI1RJJRAi -mJ1G0sHJnk4bLiwOOPMaJWgcploF5h6LSL+YlnQ+acrptXilBrzVAF4JCvInelL8LdWx6rSJ -YSTzGhPbqc9S7Qwkurme7H4AdPqTrWwpkq5RtLvTV7+z86iNnPQkSyrWmZ70nv7AfkI65wuV -U9q3aA6QTPtwP49KLJTzJt1jaamU2BBOxUcIkJkbF025bG7vYJURjiGAtb2gc9jQsnfERepa -Jvtmdnb4Bh9hbQ9VxYO3EFZyBgel87EaAwVkDp1aitaGcBsk3v4oiivQarD8eqLcsnkOi2UP -AgMBAAGjYzBhMB0GA1UdDgQWBBTua0k8ej8N47EJt4rIqxmfczNQ5zAfBgNVHSMEGDAWgBTu -a0k8ej8N47EJt4rIqxmfczNQ5zAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAQEAJRjUkY8T7o8eHRFT2i1EKRmgHmsxnk0Onq09XEFvlSskoXmY -Ojg2+7tmnkj/kJDvPdS4m7SHdT8gm85yz6FVwU1kohkGoQczDAsp5fHqq6PstQp0kMd9cvLX -XJ+R75GLt9ztZqLPjmY7vJ86AuAn3RaYwJXUCqTkgZp1lDWckF+INwatWZUKsNFn0xnKiecy -WjYcPoKoWpO+xtBkkbbP2bYYz9t+0mWjpsSOFzHB+35229OF41iyd3p2O2wvUBzn2/ZneR/1 -gpWaB6cUr4/cKCFnCdLWTVocGRyOd1zDlCQ9MmtLftR4lIO+N03OX8ceTjzgiTOVCw+lMtY8 -WnksGQAAAAIAJHNzbC5jb21yb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eWVjYwAAAXwQWa1I -AAVYLjUwOQAAApEwggKNMIICFKADAgECAgh15t/LwWhbqDAKBggqhkjOPQQDAjB8MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IEVDQzAeFw0xNjAyMTIxODE0MDNaFw00MTAyMTIxODE0MDNaMHwxCzAJBgNVBAYT -AlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENv -cnBvcmF0aW9uMTEwLwYDVQQDDChTU0wuY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkgRUNDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERW6pUMSmIzaeXyiNF8uWImQ/3HqOHcwI -s6JxJLqOSbkEG0eWWKstlcjtngg1yCfriYxTWOtiiv7wWw9rMVJjQTuJzezsto0Z0zQH3LvG -Bn/CRZXsy3+oI+AJ6YH680fTo2MwYTAdBgNVHQ4EFgQUgtGFczDnNQTTjgKS++Wk0cQh6M0w -DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSC0YVzMOc1BNOOApL75aTRxCHozTAOBgNV -HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDZwAwZAIwb+frWRGkYM9hsJZ77QX5LxOR3O3l/FBr -EUZGsxwhAGK7vsPn6M0HmfkNC11yPsSqAjAfvLoL4jAk+3xtgFUKmT6ADTPlZqOzo7ul1YuP -CSymXX7i8AcIaG3SfGluX9/lamUAAAACACRzc2wuY29tcm9vdGNlcnRpZmljYXRpb25hdXRo -b3JpdHlyc2EAAAF8EFmtSAAFWC41MDkAAAXhMIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJ -KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdI -b3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9v -dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEy -MTczOTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 -b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENl -cnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2RxFdHaxh3a3by/ZPkPQ/CFp4LZsNW -lJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aXqhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI -7bADFB0QDksZ4LtO7IZl/zbzXmcCC52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/ge -oeOy3ZExqysdBP+lSgQ36YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9 -aqkpk8zruFvh/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq -/LrFYD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93EJNyA -KoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVcUS4cK38acijn -ALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8ZVWb3vUNiSYE/CUapiVp -y8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm+Mpxm3+T/jRnhE6Z6/yzeAkzcLpm -pnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqiM+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkH -ovV6fVJTEpKV7jiAJQ2mWTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9 -UlMSkpXuOIAlDaZZMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7 -Jp0cHh5wYfGVcpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8e -EdBcHadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgsPgoh -yC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/q5R4ZJjT9ijd -h9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0cuAjJ3dctpDqhiVAq+8z -D8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jra6x+3uxjMxW3IwiPxg+NQVrdjsW5 -j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90IH37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7Ut -gYgXZSD32pAAn8lSzDLKNXz1PQ/YK9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFO -t3JY04kTlf5Eq/jXixtunLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6 -VWg3dGq2ktufoYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA -8ShYIc2wBlX7Jz9TkHCpBB5XJ7kAAAACABpkLXRydXN0cm9vdGNsYXNzM2NhMmV2MjAwOQAA -AXwQWa1IAAVYLjUwOQAABEcwggRDMIIDK6ADAgECAgMJg/QwDQYJKoZIhvcNAQELBQAwUDEL -MAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1UUlVTVCBS -b290IENsYXNzIDMgQ0EgMiBFViAyMDA5MB4XDTA5MTEwNTA4NTA0NloXDTI5MTEwNTA4NTA0 -NlowUDELMAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1U -UlVTVCBSb290IENsYXNzIDMgQ0EgMiBFViAyMDA5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAmfGENHC6L7cwoI69fATPvmK8mf2Cl9J6CmeWOAn2EE6VInOZjdoVLecF/Blz -IreOmAC8PD2soWz71nklS63wzGTaiD4puA8J0zTdM/Vi0eHNGenuGE9MWK7iHtYMWxVa2Dq4 -xBhkHuMzsrWJd04Mv9mUaxOXbxKj/pmpBMwV7GBoNu0Ie7f1v5PtZjGDjMZxNIdOF+qvi5GN -HFZBriI3XjfyHdnRLQ0vaVGnvmamijoqvccaseEU8L46HbnPW7Fq/rSxRiCi+x47cO+TmH2M -c5byxe+FcK0pJvweBD4coNgPy1KDYnzui1OVkKlXouphBdj5TcQn+m6t7fnXUfdrpQIDAQAB -o4IBJDCCASAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU05SKTGITKhkuzK9yin0215oc -3GcwDgYDVR0PAQH/BAQDAgEGMIHdBgNVHR8EgdUwgdIwgYeggYSggYGGf2xkYXA6Ly9kaXJl -Y3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBDQSUy -MDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2Nh -dGlvbmxpc3QwRqBEoEKGQGh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9v -dF9jbGFzc18zX2NhXzJfZXZfMjAwOS5jcmwwDQYJKoZIhvcNAQELBQADggEBADTte1o8pJSI -7xoRdQcvs/48+h5RJuuH9ine4PHUxiQJ6cHPVRu0MNnOGv4GUaYVpC3vsku/ICglSdGmNnc0 -6GTfUrERx3N6zTmewq2McSHyWmuv3zxOVa+yhGUUibl3yyoxvs+jbc9vSJQyRm/ncYygpoQZ -NwfyA0UJK4Z1fN9faVcA227YpnIiS1DUdZhW37cY/0NDUK56RHvweVHXQz2n04HT8MlPudrG -l4bQgsPkQm3+sOJkTg4m50A0JrUIidcIY2M4J3UeM+puqN2fmU90TYGJgEvdmpcpXC++gUG5 -jP/qfWAGns3XPdMuoxW8qOYm5W/D3LgDIeqfFvEsVLUAAAACACRuZXR3b3Jrc29sdXRpb25z -Y2VydGlmaWNhdGVhdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAPqMIID5jCCAs6gAwIBAgIQ -V8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEhMB8GA1UE -ChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9u -cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAw -LgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7ME -L7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6 -UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4 -Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLR -fbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7 -azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadM -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0 -dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRo -b3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZ -ZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKA -v6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH/nxxH2szJGoeBfcFaMBq -EssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3s2Berq4o2jUsbzRF0ybh -3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe -2MPr+8ukYEywVaCge1eyAAAAAgAVYWZmaXJtdHJ1c3RuZXR3b3JraW5nAAABfBBZrUgABVgu -NTA5AAADUDCCA0wwggI0oAMCAQICCHxPBDkc1JktMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0 -d29ya2luZzAeFw0xMDAxMjkxNDA4MjRaFw0zMDEyMzExNDA4MjRaMEQxCzAJBgNVBAYTAlVT -MRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0d29ya2lu -ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSEzDMXLmuUbGthUqDro895lEzl -lICZy1VkRGWPZ2TiBuNcN0n2L5uEhB4t8mCdME7MhIXiLM8env42qzN3NUTYNZYaPTboeg7Y -1UehammL2fy7Oq55WtX01nG7mpAja5q3iHSHDB5fuZ4t+qtTK9y7dj6TTAgIjB6iIxzUaq0i -upkBLm1ly74kZlUkS0BEsRvX4cKFwN4QPz3tuPzx8SNT3L9ll2/Z+UBxjX29ldTOvqBeJyPe -/abQJg4AKes8RvA9YL8/UNLcJkFRnhQ3QgSjcFeoG4ftLfp77owK46lmiRnLQfndRDZhz+J3 -Rsh99vSSgTb92zTxcn7zDBa9tBUCAwEAAaNCMEAwHQYDVR0OBBYEFAcf0uec2sJuokC0sHpQ -EFB0xMi9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA -A4IBAQCJV7IWeqjC/dbZm5s0wpy0MhRNp6Tf7L6nvvhD25E3zrQyLlBVGjVOdkNxIO+Td04V -cC6Hw8EdbdzLtSfULFbRUlM6RNJzyMQbBWVaYpKc7kGNMdvnNOpZIdUBetdkuGQ5zcntr+1L -A0inoJkBgNxlozauZVlIT4JLyGXxVx3lWS4KP2zY0fXlCbRsVAAK4BVNh3Vtt1iWWt1t0gCg -9JtIvsM3pLo24HyHhZcaFaLeLqJbva8Y+ZBQzXBZ+CdnR8vHoAc6fdEsXWwZOma1ff2Rb4Kx -vgiT2xRH8aI3x0WePMd3r2Sok9/2aYOCYPJJQjTtWgBUhRwWNpIMXPqmrb/bAAAAAgATZ2xv -YmFsc2lnbnJvb3RjYS1yNgAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg5F5rsD -gzPDhWVI5v9FUTANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg -Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0x -NDEyMTAwMDAwMDBaFw0zNDEyMTAwMDAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9v -dCBDQSAtIFI2MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlQfoc8pm+ewUyns89w0I8bRFCyyCtEjG -61s8roO4QZIzFKRvf+kqzMawiGvFtonRxrL/FM5RFCHsSt0bWsbWh+5NOhUG7WRmC5KAykTe -c5RO86eJf094YwjIElBtQmYvTbl5KE1SGooagLcZgQ5+xIq8ZEwhHENo1z08isWyZtWQmrcx -BsW+4m0yBqYe+bnrqqO4v76CY1DQ8BiJ3+QPefXqoh8q0nAue+e8k7ttU+JIfIwQBzj/ZrJ3 -YX7g6ow8qrSk9vOVShIHbf2MsonP0KBhd8hYdLDUIzr3XTrKotudCd5dRC2Q8YHNV5L6frxQ -BGM032uTGL5rNrI55KwkNrfw77YcE1eTtt6y+OKFt3OiuDWqRfLgnTahb1SK8XJWbi6IxVFC -RBWU7qPFOJabTk5aC0fzBjZJdzC8cTflpuwhCHX85mEWP3fV2ZGXhAps1AJNdMAU7f05+4Py -XhShBLAL6f7uj+FuC7IIs2FmCWqxBjplllnA8DX9ydoojRoRh3CBCqiadR2eOoYFAJ7bgNYl -+dwFnidZTHY5W+r5paHYgw/R/98wEfmFzzNI9cptZBQselhP00sIScWVZBpjDnk99bOMylit -nEJFeW4OhxlcVLFltr+Mm9wT6Q1vuC7cZ27JixG1hBSKABlwg3mRl5HUGie/Nx4yB9gUYzwo -TK8CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMB8GA1UdIwQYMBaAFK5sBaOTE+Ki5+LXHNbH8H/IZ1Og -MA0GCSqGSIb3DQEBDAUAA4ICAQCDJe3o0f2VUs2ewASgkWnmXNCE3tytok/oR3jWZZipW6g8 -h3wCitFutxZz5l/AVJjVdL7BzeIRka0jGD3d4XJElrSVXsB7jpl4FkMTVlezorM7tXfcQHKs -o+ubNT6xCCGh58RDN3kyvrXnnCxMvEMpmY4w06wh4OMd+tgHM3ZUACIquU0gLnBo2uVT/INc -053y/0QMRGby0uO9RgAabQK6JV2NoTFR3VRGHE3bmZbvGhwEXKYV73jgef5d2z6qTFX9mhWp -b+Gm+99wMOnD7kJG7cKTBYn6fWN7P9BxgXwA6JiuDng0wyX7rwqfIGvdOxOPEoziQRpIenOg -d2nHtlx/gsge/lgbKCuobK1ebcAF0nu364D+JTf+AptorEJdw+71zNzwUHXSNmmc5nsE324G -abbeCglIWYfrexRgemSqaUPvkcdM7BjdbO9TLYyZ4V7ycj7PVMi9Z+ykD0xF/9O5MCMHTI8Q -v4aW2ZlatJlXHKTMuxWJU7osBQ/kxJ4ZsRg01Uyduu33H68klQR4qAO77oHl2l98i0qhkHQl -p7M+S8gsVr3HyO844lyS8Hn3nIS6dC1hASB+ftHyTwdZX4stQ1LrRgyU4fVmR3l31VRbH60k -N8tFWk6gREjI2LCZxRWECfbWSUnAZbjmGnFuoKjxguhFPmzWAtcKZ4MFWsmkEAAAAAIAFmds -b2JhbHNpZ25lY2Nyb290Y2EtcjUAAAF8EFmtSAAFWC41MDkAAAIiMIICHjCCAaSgAwIBAgIR -YFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBF -Q0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxT -aWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFs -U2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpH -bG9iYWxTaWduMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6 -SFkc8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8kehOvR -nkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw -AwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYIKoZIzj0EAwMDaAAwZQIx -AOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1 -j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3AAAAAgAWZ2xv -YmFsc2lnbmVjY3Jvb3RjYS1yNAAAAXwQWa1IAAVYLjUwOQAAAeUwggHhMIIBh6ADAgECAhEq -OKQclgoE3kKyKKUL6DSYAjAKBggqhkjOPQQDAjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVD -QyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp -Z24wHhcNMTIxMTEzMDAwMDAwWhcNMzgwMTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxT -aWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkds -b2JhbFNpZ24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5 -BwkWymOxuYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV -HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/+wpu+74z -yTyjhNUwCgYIKoZIzj0EAwIDSAAwRQIhANySoaATps8DsObEIZeQ+hRXLQPs7jzTbsqobHa8 -ot67AiAnqIUnNZtWxqPyR9K3bhsCABeqZ6YVkd76lOx7C/ifhAAAAAIADXN6YWZpcnJvb3Rj -YTIAAAF8EFmtSAAFWC41MDkAAAN2MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk -1uQwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpi -YSBSb3psaWN6ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEw -MTkwNzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFq -b3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIgUk9PVCBDQTIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvNQLXOYeeWyrSh2gwisPq1 -e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ -ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05 -YO4vdbbnl5z5Pv1+TW9NL++IDWr63fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHM -yAHs6A6KCpbns6aH5db5BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRn -vDF5YTy7ykHNXGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ -BAQDAgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsFAAOC -AQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw8PRBEew/R40/ -cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOGnXkZ7/e7DDWQw4rtTw/1 -zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCPoky4rc/hkA/NrgrHXXu3UNLUYfrV -FdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGyd05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrK -jSoS75ftwjCkySp6+/NNIxuZMzSgLvWpCz/UXeHPhJ/iGcJfitYgHuNztwAAAAIAE2dsb2Jh -bHNpZ25yb290Y2EtcjMAAAF8EFmtSAAFWC41MDkAAANjMIIDXzCCAkegAwIBAgILBAAAAAAB -IVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0g -UjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4 -MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0Eg -LSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJD -x7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpi -Lx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3 -rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSS -aGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPa -bumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w -HQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvA -UKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s -bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBd -RoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQit -Chws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlh -LxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fAAAAAgATZ2xvYmFsc2lnbnJv -b3RjYS1yMgAAAXwQWa1IAAVYLjUwOQAAA74wggO6MIICoqADAgECAgsEAAAAAAEPhibmDTAN -BgkqhkiG9w0BAQUFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG -A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBa -Fw0yMTEyMTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMw -EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoSs8u/h1/Gf4bTsjBc -1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xaEbx6guu+jOmzrJYlB5dKmSoH -L7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9eSWq1OV6INOy8eAwImIRsqM1LtKB9DHlN -8LgtyyHK1WxbfeGgKYSh+dOUScskYpEgvN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2 -G/YZeoXgbfJhE4hcn+CTClGXilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLK -A8KbjwIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud -DgQWBBSb4gdXZxwewGoG3lm0mi3f3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js -Lmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjIuY3JsMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSa -Ld/cGYYuMA0GCSqGSIb3DQEBBQUAA4IBAQCZgVOHHGiXhpHs4Eq4RAurgawnT9bBuBxDeLMM -mvzqLDxuYRtNSyn1nwUdJsG46YMAYkW2qQiTuakzSxiawviHiE7b3XE0GsFU2kY/4NMqq21U -IvU6Ys0gb7opidfdke7TXKI+oVtB9d/lZEMt6dU5q9Ki37eL0MCAGRxFwC2M6PgtpHRWScUF -tU8V3m5EeDmHqH6783kYkbv0b53B8Iw1jF0B+8Ntue9EbXlGMX4K/qmCwf/vq24gxFDJX51N -mxeMDOUByaBBanNT+qVQtG4lD/tMGPT9UtmOabHoEQ/eiNj7HUn3qt6VzyB4wmAS2yVAjGr8 -fkI4QGQS956B4ZMuAAAAAgAKb25hcHRlc3RjYQAAAXw8eG62AAVYLjUwOQAABUIwggU+MIID -JqADAgECAgkAnq7twKfOtZ0wDQYJKoZIhvcNAQELBQAwLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMB4XDTE4MDQwNTE0MTUyOFoXDTM4MDMzMTE0MTUy -OFowLDEOMAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDmmSBGzs2EYbh7Dkmi6HJhqSBhTIVobXbX7 -+HyptJ23SFVC/nr4QDjVirtcaJ7tFgNAr02YAUXeCu4T7pfvC8mIKGn4LJ3uwUydvrm5aHER -3FZMzYEkWuB/NScfxkLGBoKjdcfg/OUpHLYtBAkQkQLCX9FmZEJeKMy3l72Hxehlj98qQpxl -lSxY0IylOjbrrCO8D0xcuZ2BF5GPT6+sKOs2rL6G3AkPO2iIdaJg+pPqjwS8ZyCM2qOVnHs1 -Q1/wx8sMHKooXr7BFse/UYqOff9WKN3jkW/yuLJFhE6IVqe9tXqMh8GS/w9lteDZUNaxiyCn -w0C8zEr6JXxw74KTeUEjYY49lsISqk9VNhstTPqxzMCUJfBCg/MMhljBhrd5H+BgtjWA/aIR -Uc5FqDdss9qn1lfkTwNmTNM1OOi+8uTwpoKZ9xpQwmwG0N0ClxSK3PXRydHJlzWxfeATV/cO -nNAzq30Lmw5XJGENxKsqqrBv2bRKzThcBL0Wyow/dRZhDKoNdLGVQBhpfz3a7yZXWHGe3aCN -vbZGWhcwzpOi8zexKslLTAf6XWfOd3poVd+1L8bhlUhVn8t9PWKzhK2jI9ZkLDDCXLXPyolD -/OGKnk2BlPFDDiaLvDDfkNg90BA4KhqN9K8WOqyVD9w9GL8xEK7Tv2F5Vvl9CefNW2ekVBEC -AwEAAaNjMGEwHQYDVR0OBBYEFFNVM/JL69BRscF4msEoMXvv6u1JMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0G -CSqGSIb3DQEBCwUAA4ICAQA/H8hor3ifTbA/GmdhPL4tUsjHB2r+RrA13ohuIzMvzvOY0wOY -dwZt+hEKPw6SG6CBf0vHX8KSGleKa5ixk4VCLluWv+76/iYhuyBuaL3uP5xQcM/TMvJy9K/E -oe3LnUvCZpf1rjCQmXnMFTg7Wx38f21ZwSbAnf2W0qgEoHFz3hlzeIybnK1FYaP7SsrMsMBc -RamhnlsTk8slq4DpQMLEMt+zcXCFtLu4OCDFi9+PJIXkUI0RP3ign6byztV4e+hryI8Yq9es -ip13tcMeeokmVUqvub1LR8xvIQHxyLZG05cO33eJ9jW6GgS0TKSfh2oFKnx7O80yfChd1g8O -9N324IAV5YUtWt4EBbF3bmE+wFORkDmGlr+sD6Yq/oB/hUFWJivxzPh1kKwUKG6KhV5t72KC -Gt+MH/+op6kWM8ULKPMo3W7Qkqb/bH85GrGRM40byne4PCgg7KKZRxO1My/jZt9gPzxEpqSp -IVcT0b5nQuVooAGp+Mrj2j+2wCn5zkug2ViWUqGd607dAB2tofB2YLfoGGiCHNHWOlfvnUBx -mfZUfdDhcrKnTVwk0Ikiu5r4D5vHrOHdHJbrMgiRtEJsRP5QP7iavxYhxITea1FlWWeFQM7j -P3/9YoxXPBL1GHz+S6zOsYUjUpCjNcIcutx7dg/pFhl8553v0tdpHBd1hgAAAAIAD2Vtc2ln -bnJvb3RjYS1jMQAAAXwQWa1IAAVYLjUwOQAAA3cwggNzMIICW6ADAgECAgsArs8AusTPMvhD -sjANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEU -MBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290IENBIC0gQzEwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMK -ZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290 -IENBIC0gQzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP66m58ZkFzNgoIUrz -czRRhFYQ9aBPLBLj+hOaJ9DP+XkadF8deTn8W/hwjuCSUvfkJflUg9kd08hahT9ex7YH7j7A -zpqvrFZCKjklcNa/tXs2raz2c9zN1x2Kg6X7K5AVN2scJkfcOylWk2qzwWo6nT31wZc4WAWL -HBHj5LS4XYUdg/54XwtFaBhIpUZzNDv+D8h2u8cY8wXRhvOF7ee52TKtVYjOpraRsE+sfhUj -lvY/8CA0Ft4KxsQERXl/p/2+0qmlr5zFIyr3PCFsva+PTsU6svM0EvzfgBpJpNSplfeeiV6i -iayUy6hom6+KZSfNie7djLVrKXBDoGkL5LkPAgMBAAGjQjBAMB0GA1UdDgQWBBT+oeBwHioD -OVJaQr5ckYV6GKpNtTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG -9w0BAQsFAAOCAQEAwkpW+hUheyii6eUd+/gtxDmWQUw7JyzEbBgVgMasr0dZLyYL4zaw7zv+ -Q5dJMpkSFVvfESn/q1P4u8F4D6ycU69XvWiMPWkz8KOgI2M7ZGciRK3VcctWKniSo08SMTY2 -4t7+AMSjYA8nraCwirU2elKhvSf0ICdi6E2UJBPkCgTpPKsuyEMJSsZhBOVJNH7TxMj1D8Cq -6bpUXvNjK09PUNT+uXuZjD3ALrwCK9PEQOSKBzEem84mmRP7EeqaIgwRGcdeG4FQMMiWEm7n -y0F/kTuiR7dUgBvcAMyakOrDw1AGYgwwwBVIp6hZfOGuIqLiCnoP+mKrUkzh8d/KvoMNQgAA -AAIAEmVtc2lnbmVjY3Jvb3RjYS1jMwAAAXwQWa1IAAVYLjUwOQAAAi8wggIrMIIBsaADAgEC -Agp7cbaCVrgSfJyoMAoGCCqGSM49BAMDMFoxCzAJBgNVBAYTAlVTMRMwEQYDVQQLEwplbVNp -Z24gUEtJMRQwEgYDVQQKEwtlTXVkaHJhIEluYzEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290 -IENBIC0gQzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBaMQswCQYDVQQGEwJV -UzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxIDAeBgNVBAMT -F2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE/aVhrnsm -EB3ptyIwrgb0gbOxQnGVObzTUuOvr/nylzWSNkYOh5WNuTla6bvf0P7IB0E8u1Vvg6Nq+2Kw -gYkCcH1IxUrj6SJUIk2Tu0IMr3ecI6Z912ERzmXH+H/+9fKpo0IwQDAdBgNVHQ4EFgQU+1pI -0IAgQPKo6QAHaRl3p+bD9M8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI -KoZIzj0EAwMDaAAwZQIxALTYLwKJ/bZMYrpDThOEcrWu3Rze1rXcVo9YQFot3iBMIoPKk6h+ -7hJAx9aHT/jfhQIwHBRk5HyWgxGcsNFaYUumD0nTAPyh/OSl/3+t1zDQx3d/voEHVTBQIBT1 -VzgKqDFRAAAAAgAPZ2xvYmFsdHJ1c3QyMDIwAAABfBBZrUgABVguNTA5AAAFhjCCBYIwggNq -oAMCAQICC1pLvVr7T4pb+mXlMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkFUMSMwIQYD -VQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJVU1Qg -MjAyMDAeFw0yMDAyMTAwMDAwMDBaFw00MDA2MTAwMDAwMDBaME0xCzAJBgNVBAYTAkFUMSMw -IQYDVQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJV -U1QgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK4uVq0bHO/2lY+gdxsr -02OPhE1Fog+fW0WrWXtRNPnsi4p4xd1rr73E35NFHr+ROAuuDhbnQXP427vRuFHgy4M7czhu -d4oPWWMmzacqzlT7uOLAfEfOYHw/snPywBm2ipKHNQ2QKKLkFQRjPrqv7nxezKaLULI490Fj -ys7/aY9oDpU25cy5jAnKS90xkJbIzB/9VpY0244c6iy+hS5j3aqpldP9KZUT8MiYk9ktFkeQ -EYOiOiKiKFei6/7AjCigpn3nKkI7goBjpWMfGcx8smaowtNtN2/ifgZR2UWEHxLOJFJkhQtI -gE6HsSIiMKrrrr7gAuBA6LBCgANRqrR+qkTXQ2HzomsWiUmko6QrigLEePRoisHkejaxbxuW -G3dJjdTJBnKPz1Pj3BeFIErcmCfTkSYrRx5pB6/eouTk1GsLs1581CSARylpO27orP1A69jt -cXEr8uhYHetBlyLFH9Q50CePh+MY9OCpRg31dDqCLtBuLJGjMVw7Rup7BBBWXoAd9aVl6IL8 -4geMYkX1IN5GcIahvJPTHnSmbLAs9wMMiAzL1HJThrxgRvOYasLxv0P5cCB3yjdBeVVSY41b -Ep/FaMSInazyMKu3ozGXZ62PFw9sx3PtJJRryIOa0Jo3SQSrsRbIbElJLauh0IyS8kFKeSEl -22PXtpynfkJp+zpjAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBTcLh/RYTd55KvV1bMScWg9amicIjAfBgNVHSMEGDAWgBTcLh/RYTd55KvV -1bMScWg9amicIjANBgkqhkiG9w0BAQsFAAOCAgEAkfBCAmhA7sNowFQv3+xiw8OeiqAxKKqD -jqRWlhIQhla6l3LSVDB8rRnVHWhv+xRC2I0O87XRpeMCQl7c6EZYBzUCMOC8dErBQyr/2xrQ -sK9sw/3Ls/V/bQMuWVadLS01jLLWQxcskgrLXeiMD0twQ9CC/6jMv6SUwL6HvYrjk3vGj5sW -nSdlvHrFQoJsXAfQqcGIYETpmIUWX/iPygEQziXD+WAboMWXw9MsiDGivTDs0NDAEvHBOePl -9fjWSt00zftvwU/jAItW4pL3KLJCd3IjZ8c/ERWyxAMFvrsRewq/qG7n/1hDz5tnoIAHth3K -rW3qQRF+LXST+8K8vlFExe9oJSeA48ig1BLs2aU3HTd8tJHK2tSxloHvaFx2EEmvfqU3gLEc -Ur0zgUyP+d1l2RTNiiVY9OLFg6UJkNRsFGO1QN/rwPzEWH4NFBaHVCduVuRwhLhsMhJ+gjFD -vtfdfKGtrtarIBLvCsMQjEmWNdwLdV6xT9VPNA4RIAd1Q0XpoxHarKOZwrZ5J+K578ji9jUp -enT6xX+CBWKmCuposnlHBm7yV6gVM8b3eEo9Qntrfv73RurR647viGhb6MHZcX79ZO//Z0eI -WCUvPoYHvfuo5YKorKXTaUPNMYhJhFOSwLE5GzmDATDE8qn60AO9cjdgVh82fL05kfVtDb97 -15IAAAACABNidXlwYXNzY2xhc3Mzcm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNB -oAMCAQICAQIwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBh -c3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTAeFw0x -MDEwMjYwODI4NThaFw00MDEwMjYwODI4NThaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRC -dXlwYXNzIEFTLTk4MzE2MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0Ew -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCl2gqVFlDjlfJenXYxBjJ6m/EQdrgA -mrVSNs0kR7CfGGS8mvb61XnYkGJMIi/eOD3W4KjpHCzbeBHpjmhRFXLH8zOH5KBdC1zgVwcq -MPXNxDd3KE0Ykea/1VL9cS1wPufGxIrj8CgL9HaYoYuHVbI6E/y3Pic3jiLjqE8q72C7Pbc5 -ww4BR5ldEk/bQ/pXoe35nb4RRyZbE5irXRaKsDccV51F/4iWNr+7ygd7b4dj19AyatZdbAzx -s2454msxLjkAJxTeOMDsGWaGEuidchYTZFLHqTcc/YIw7YQYHfSuXP9wEwDrsfUzekvWVfgF -jUtpsPWzKDZcFMRRc01rC/E0B9sXOdfcKHtr9Z/zLsFPFyoQ88zK6Ov9a6sump8tgm4E1FIB -ky09hvx+/N/vQh2ma++5IMb3vaCnlf2n5okk2MyMNGziIy/ZEhohuVWRbwuReRkMrUCIC3Di -etIO2GhIu4ITORBY6dgqB8YS21jb0jtVEEcFFWdifhhjpkY/CQ5UMl6/DWJ6J++A6NvZSwZa -N1ol0AgSd9RvCVCXPcgdw9+MRTBWxtNkq2bzwF6WnMPE78N8a4s6eX+zSc894omfoDBLhbmc -lCR5j31rqUVoDyvQ8docy2m4yklibcjQY2LdYA9Yqo+hvAWlZqLPG3ayhGSxTDlSwDC68IxL -ArC2twIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHuM3/5W/u+LLsL04O -+SWwjjxrwzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAAAgI0E1BJDCQGJg -7+I1TNc/rOI0kLihb3b6FhakSDcs6ZDC8jz4Cp/YgeW7W9olLKSnVXEkMvbIC/K8aviTrLIH -wl+f28zIiqq+am/hSRDMMdeAu7vI2KIOZFfqovXCqTEV0iBq7PwiASjPhriAHqnMEaU88haz -R5380oAhxMvQR3BBocqDGQgsbfJdd5yKFBPUNhyS8OUGN9ym5pCbOI9caxtGhkNCXz4BB1NU -XWV994pzoZpUWh8pQxQnwoUPtYh7GjuUtx1gp7Wc5ylpV1qbk3pDMBsD12LIQKaq/GTkSteR -UwGoIIhunF9EuctggTTsb9N92khf67SQvC2pHAusHNWiaCCABNb8sY8vu0oxDUqGHOviNikm -9drYxPJ1Yc9+rnZjSnpAZZOH+B6AjIblhtaPDvxTLGDoFmEaoj5De805YFRq9fKJJgFog0ii -M+jJBJGyETQRPurQQxkfA5OQDP9RPVf0QW7hy6C+68ljzW3M5Pg2qmid7b1dl3BEDbYONdzh -DF27oFGUy34W6xEvo5JFyExx2bzJmVJXRi9Qz701afQ9Fc4GpSwPPvaBupS7w7u/ZXjShnn/ -STsagwzw3njsyPJNTBregin4wVra7e7mJ17oRdCdHFGoaKtE49CLauP4O7vcTddk8lG+5qqr -Wukx7ga8c78TYgqfx7mXAAAAAgAfY29tb2RvcnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eQAA -AXwQWa1IAAVYLjUwOQAABdwwggXYMIIDwKADAgECAhBMqvnK22Nv4B/3TthbA4adMA0GCSqG -SIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy -MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UE -AxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDAxMTkwMDAwMDBa -Fw0zODAxMTgyMzU5NTlaMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5j -aGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEr -MCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJHoVJLSClaxrA0k3cXPRGd0mSs3o30jcABxvFPfxPoq -Eo9LfxBWvZ9wcrdhf8lLDxenPeOwBGHu/xGXx/SGPgr6Plz5k+Y0etkUa+ecs4Wggnp2r3GQ -1+z9DfqcbPrfsIL0FH75vsSmL09/mX+1/GdDcr0MANaJ62ss0+2PmBwUq37l42782KjkkiTa -Q2tiuFX96sG8bLaL8w6NmuSbbGmZ+HhIMEXVreENPEVg/DKWUSe8Z8PKLrZr6kbHxyCgsR9l -3kgIuqROqfKDRjeE6+jMgUhDZ05yKptcvUwbKIpcInu0q5jZ7uBRg8MJRk5tPpn6lRfafDNX -QTyNUe0LtlyvLGMa31fIP7zpXcSbr0WZ4qNaJLS6qVY9z2+q/0lYvvCo//S4rek3+7q49As6 -+ehDQh6J2ITLE/HZu+GJYLiMKFasFB2cCudx688O3T2plqFIvTz3r7UNIkzAEYHsVjv206Li -W7eyBCJSlYCTaeiOTGXxkQMtcHQC6otnFSlpUgK7199QalVGv6CjKGF/cNDDoqosIapHziic -BkV2v4IYJ7TVrrTLUOZr9EyGcTDppt8WhuDY/0Dd+9BCiH+jMzouXB5BEYFjzhhxayvspoq3 -MVw6akfgw3lZ1iAar/JqmKpyvFdK0kuduxD8sExB5e0dPV4onZzMv7NR2qdH5YRTAgMBAAGj -QjBAMB0GA1UdDgQWBBS7r34CPfqm8TyEjq3uOJjs2TIy1DAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQwFAAOCAgEACvHVRoS3rlG7bLJNQRQAk0ycy+XA -VM+gJY4C+f2wog31IJg8Ey2sVqKw1n4Rkukuup4umnKxvRlEbGE1opq0FhJpWozh1z6kGugv -A/SuYR0QGyqki3rF/gWm4cDWyP6ero8ruj2Z+NhzCVhGbqac9Ncn05XaN4NyHNNz4KJHmQM4 -XdVJeQApHMfsmyAcByRpV3iyOfw6hKC1nHyNvy6TYie3OdoXGK69PAlo/4SbPNXWCwPjV54U -99HrT8i9hyO3tklDeYVcuuuSC6HG6GioTBaxGpkK6FMskruhCRh1DGWoe8sjtxrCKIXDG//Q -K2LvpHsJkZhnjBQBzWgGamMhdQOAiIpugcaF8qmkLef0pSQQR4PKzfSNeVixBpvnGirZnQHX -lH3tA0rK8NvoqQE+9VaZyR6OST275Qm54E9Jkj0WgkDMzFnG5jrtEi5pPGyVsf2qHXt/hr4e -DjJG+/sTj3V/TItLRmP+ADRAcMHDuaHdpnDiBLNBvOmAkepknHrhIgOpnG5vDmVPbIeHXvNu -oPl1pZtA6FOyJ51KucB3IY3/h/LevIzvF9+3SQvR8m4wCxoOTnbtEfz16Vayfb/HbQqTjKXQ -wLYdvjpOlKLXbmwLwop8+iDzxOTlzQ2oy5GSsXyF7LUUaWYOgufNzsgtplF/IcE1U4UGSl2f -rbsbX3QAAAACAA5jZXJ0dW1lYy0zODRjYQAAAXwQWa1IAAVYLjUwOQAAAmkwggJlMIIB66AD -AgECAhB4jydcgRJSIKUE0C3dunP0MAoGCCqGSM49BAMDMHQxCzAJBgNVBAYTAlBMMSEwHwYD -VQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTAeFw0xODAzMjYw -NzI0NTRaFw00MzAzMjYwNzI0NTRaMHQxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28g -RGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhv -cml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BMQojqsYW2q+bmQ3Y+TN7Ks698yhuA6CSdeGKZ+hlPLjYHiYgXgGTfLsmg5XYIOftOYXLxqz -XQJbiSM8whEFKqeIExjzUITXvTQsJ4lV/85M59+mHyjE8FTDuXy3U63rwqNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUjQZmdCR2OvOJ97zWvUd9L7wQX0swDgYDVR0PAQH/BAQD -AgEGMAoGCCqGSM49BAMDA2gAMGUCMANVLabmGMR878lQbsEnD5yHr27VGwgYvZIpwe+UkXjS -OhxViWLlGwkeumRr8Xa01AIxALRChJn/q+ee+5GXJ13csFswcc5eOBpq2SXn6vdhklb46to2 -wodlli5yJS9/38MTyQAAAAIAHHNlY3VyaXR5Y29tbXVuaWNhdGlvbnJvb3RjYTIAAAF8EFmt -SAAFWC41MDkAAAN7MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQG -EwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe -U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoXDTI5MDUy -OTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMg -Q08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmljYXRpb24gUm9vdENBMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAVOVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2 -l9amZIyoXvDjChz335c9S672XewhtUGrzbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq -1LXaQZAQwdbWQonCv/Q4EpVMVAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjr -appdUtAtCms1FgkQhNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVK -kaHnFtWOojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw -awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5csOPEK7DzP -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBM -OqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpFcoJxDjrSzG+ntKEju/Ykn8sX -/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXcokgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+ -BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6q -tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0 -eg29mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03AAAAAgARc3RhcmZpZWxk -Y2xhc3MyY2EAAAF8EFmtSAAFWC41MDkAAAQTMIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0B -AQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywg -SW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMG -A1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxk -IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IB -DQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTYbitTkPskpD6E -8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZJRRU6ybH -838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZ -GD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN -F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgED -o4HFMIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/ -X7fRzt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJm -aWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENl -cnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD -ggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhi -v45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsg -Gh1o+Re49L2L7ShZ3U0WixeDyLJlxy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMt -lb71cZBDzI0fmgAKhynpVSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNzi -PTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5QAAAACABthY3Rh -bGlzYXV0aGVudGljYXRpb25yb290Y2EAAAF8EFmtSAAFWC41MDkAAAW/MIIFuzCCA6OgAwIB -AgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1p -bGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0 -YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjEx -MjIwMlowazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz -IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBS -b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv -UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx -4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZU -j5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekci -RDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmS -Bp+Z07/T6k9QnBn+locePGX2oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqE -guNTVHnd25zS8gebLra8Pu2Fbe8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeIC -rHuS0E4UT1lF9gxeKF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1 -fEwZtN4Fv6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn -fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7jPKxwV2d -pAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7YnzezhwlMkCAjbQMA8G -A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbtifN7OHCUyQICNtAwDgYDVR0P -AQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQALe3KHwGCmSUyIWOYdiPcUZEim2FgKDk8T -Nd81HdTtBjHIgT5q1d07GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lS -cWoWPBkdg/iaKWW+9D+a2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a -2hi/a5iB0P2avl4VSM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANA -TIGk0k9jpwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX -X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo -2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0 -Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+k -QSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2 -sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXh -lgAAAAIAJXRydXN0d2F2ZWdsb2JhbGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAF -WC41MDkAAAXeMIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGI -MQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAf -BgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEds -b2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM0MTJaFw00MjA4MjMx -OTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No -aWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1 -c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEB -BQADggIPADCCAgoCggIBALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+C -Y66j96xz0XznswuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzD -Bcdu7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz81Ws2 -5kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW80OzfpgZdNmc -c9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotPJqX+OsIgbrv4Fo7NDKm0 -G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1lRtzuzWniTY+HKE40Cz7PFNm73bZQ -mq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfwhI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49 -DxweMqZiNu5m4iK4BUBjECLzMx10coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9ja -JXLE9gCxInm943xZYkqcBW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqj -ifLJS3tBEW1ntwiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1UdDwEB -/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W0OhUKDtkLSGm -+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfeuyk3QAUHw5RSn8pk3fEb -K9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0QlG/+4jSHg9bP5Rs1bdID4bANqKCq -RieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhBaCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtK -YdkNy1GTKv0WBpanI5ojSP5RvbbEsLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90 -lZvkWx3SD92YHJtZuSPTMaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrq -l5gR0IRiR2Qequ5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDF -QdxhVicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8h6jC -J3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9EEC+j2Jjg6mc -gn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTKyeC2nOnOcXHebD8WpHkA -AAACAApjZmNhZXZyb290AAABfBBZrUgABVguNTA5AAAFkTCCBY0wggN1oAMCAQICBBhKzNYw -DQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0NoaW5hIEZpbmFuY2lh -bCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBFViBST09UMB4XDTEy -MDgwODAzMDcwMVoXDTI5MTIzMTAzMDcwMVowVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0No -aW5hIEZpbmFuY2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBF -ViBST09UMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA111rzRA/HwVZ1QVNN7EO -7JgrjhUd+pNLF4IhcRBS11FkcBbCVWlNjhVtn78MG8Lgo2fWDKzPIq6vd1QqS0yKU1J6w+4u -3rNxJcHpXT3uoS+j9yo8ySMdaqsdoafx8+yg1UTPFc9yLx1jl+iZ+f2TpFSATFLUUqsuSd+Q -zbhfvj/eocpNINQl6IQpU7exiB//+tqQnwqpLUE/sfEYKe4WWSw0SRqoBteoiNIDcnoy4upo -TW4slmV7yln68uLd7jAs+8xGrMRj629/Nis0cxKUf9/MJp7xcl1QZVmPabOHXjJvwxiKtZWP -sHo33lpFO8c24e9n0TnTl1tzYhlILYccBvt0mCBJc/AF0huxoKO3G3DTiGm5WtY49GLcJYt4 -v/jofrhcyZVPX6ctuSBrz2vd9Q30grf0smYuECj2l1p7lhaPARktbG5/OVgGZIMBg4PDTZLd -MsaHpDfpFs6qLWivCoFlOnDBm61NbVTKKi1LhRuzgOZwRQ1rXjXwfzu4nOQEcIkSJZPaCpki -YGpjYE52BphOvYOtHViKJYXSx2UeLY7G37bG4X+KBCEVKXTwPpyQnQwu8Yo+WqoMCR7H1Tyj -7ZfDHjT6OPkIDuPAXSuD0VZqybaoVFMueDJnPYJ/dND74bYFYLlw244L+RNYb3FgEFIQucFB -Ce9yH2cxeP+WBY0CAwEAAaNjMGEwHwYDVR0jBBgwFoAU4/4t/SjQC7W6tqLEvwaqBYyT+y8w -DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOP+Lf0o0Au1urai -xL8GqgWMk/svMA0GCSqGSIb3DQEBCwUAA4ICAQAlxrpr64fL3oI5lj3wRKdrhHMD3p0rT7og -f7x4ss+XsBuc89d5LvVIttL7F4jm03o/7VMT0OIvannLACMo5h43VzWJhMJ2TzQ2rWfDzkEG -iMX37tgauNYLf1D/k6oXS4zs7VJgsqQG6k7r9GsZ/ev1GuAlKprcx0E298h0BYQ5lTnWCzuk -J/oI2Fwe+ARgUhEoKAP/71NmAKVKNBZmfP0JpK6eZxpvQQtrBhObj4ZxBbQvjYlmMyl2VJoR -+Cf6sj+R4M4NG/MwGq2/Il0b078lBU3hkhp/mZ88RJPK1EBJbICH1wQ6wzJSNQ5W+KXdfcSL -DREfU8seshe2aHda4NTLyAeu9Toujje30AFLQyl3jDmXj4Ja+FHliaAY52h/XQou+6NHDj2m -I3rGAcePyF6/bYBWvookujPqn+EyEZ7x0k+A9htArzieEVB5cxISzeZsnSyIcjwwgQaRIupZ -rdoZLiLCjbmMh+BmvHMjXyFkY4BI9aA8GD2UyEhBHUC6Xv7+VjmhyM9enhlkRhDaF5G3BYCs -i5mSfeei2AcLNifnSHlgisPXE1z4ckDfSsvPmQAKAAsRldpWRQOICp9n0NV5saiNQG0NwnpA -+vNfZEeSy1O5u1nOT/3QFVMB2N/r2eZ279AjuzupebPVAinNiaOWD0o1505CwHXNB8/mLOt7 -LgAAAAIAFWRpZ2ljZXJ0dHJ1c3RlZHJvb3RnNAAAAXwQWa1IAAVYLjUwOQAABZQwggWQMIID -eKADAgECAhAFmxtXno4hMuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVT -MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAf -BgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0zODAx -MTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV -BAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH -NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIwaTPswqcl -LskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/G -nhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O -7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13j -rclPXuU15zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB -MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxG -j2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZ -K37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm -M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzTQRESW+UQ -UOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS31 -2amyHeUbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1Ud -DgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfE -kRvDoaIAjeNkaA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvW -VPjSPMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK7VB6 -fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eBcg3AFDLvMFku -ruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp5aPNoiBB19GcZNnqJqGL -FNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msgdDDS4Dk0EIUhFQEI6FUy3nFJ2SgX -UE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vriRbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i -7UqLvBv9R0oN32dmfrJbQdA75PQ79ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPm -YQ/ShQDnUBrkG5WdGaG5nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1Tt -mlfB2/oQzxm3i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyB -Ia0HEEcRrYc9B9F1vM/zZn4AAAACACRlbnRydXN0cm9vdGNlcnRpZmljYXRpb25hdXRob3Jp -dHktZzQAAAF8EFmtSAAFWC41MDkAAAZPMIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVl -rVgwDQYJKoZIhvcNAQELBQAwgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJ -bmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL -EzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw -BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MB4XDTE1 -MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1F -bnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1z -MTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt -IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSX -bcr3DbVZwbPLqGgZ2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV -3imz/f3ET+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j -5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAMC1rlLAHG -VK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73TDtTUXm6Hnmo9RR3R -XRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNXwbMv9W3y+8qh+CmdRouzavbm -Zwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A2Vqq6nPopIICR5b+W45UYaPrL0swsIsj -dXJ8ITzI9vF01Bx7owVV7rtNOzK+mndmnqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM -6Nyfh3+9nEg2XpWjDrk4JFX8dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0 -LhyIRyk0X+IyqJwlN4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15d -Wf10hkNjc0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS5UKme4sP -DORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTSGwv2LFPSypBLhmb8 -qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGrhFV0d4QEJ1JrhkzO3bll/9bG -Xp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19y -IqtRLULVAJyZv967lDtX/Zr1hstWO1uIAeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7 -bIdKROf1beyAN/BYGW5KaHbwH5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDt -C3T7Zk6LERXpgUl+b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkv -FMSUHHuk2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol -IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk5F6G+TaU -33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuYn/PIjhs4ViFqUZPT -kcpG2om3PVODLAgfi49T3f+sHwAAAAIAF2NlcnR1bXRydXN0ZWRuZXR3b3JrY2EyAAABfBBZ -rUgABVguNTA5AAAF1jCCBdIwggO6oAMCAQICECHW0EpPJQ/JMjf8ql4SjekwDQYJKoZIhvcN -AQENBQAwgYAxCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT -LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgNVBAMT -G0NlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EgMjAiGA8yMDExMTAwNjA4Mzk1NloYDzIwNDYx -MDA2MDgzOTU2WjCBgDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9n -aWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIG -A1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAvfl4+ObVgAxknYYblmRnPyI6HnUBfe/7XGeMycxca6mR5rlC5SBLm9qb -e7mZXdmbgEvXhEArJ9PoujC7Pgkap0mV7ytAJMKXx6fumyXvqAoAl4Vaqp3cKcniNQfrcE1K -1sGzVrihQTib0fsxf4/gX+GxPw+OFklg1waNGPmqJhCrKtPQ0WeNG0a+RzDVLnLRxWPa52N5 -RH5LYySJhi40PylMUosqp8DikSiJucBb+R3Z5yet/5oCl8HGUJKbAiy9qbk0WQq/hEr/3/6z -n+vZnuCYI+yma3cWKtvMrTscpIfcRnNeGWJoRVfkkIJCu0LW8GHgwaM9ZqNd9BjuiMmNF0Up -mTJ1AjHuKSbIawLmtWJFfzcVWiNoidQ+3k4nsPBADLxNF8tNorMe0AZa3faTz1d1mfX6hhpn -eLO/lv403L3nUlbls+V1e9dBkQXcXWnjlQ1DufyDljmVe2yAWk8TcsbXfSl6RLpSpCrVQUYJ -IP4ioLZbMI28iQzV13D4h1L92u+sUS4Hs07+0AnacO+Y+lbmbdu1V0vc5SwlFcieLnhO+Nqc -noYsylfzGuXIkosagpZ6w7xQEmnYDlpGizrrJvojybawgb5CAKT41v4wLsfSRvbljnX98sy5 -0IdbzAYQYLuDNbdeZ95H7JlI8aShFf6tjGKOOVVPORa5sWOd/7cCAwEAAaNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUtqFUOQLDoD+Oirz61PgcptE6Dv0wDgYDVR0PAQH/BAQD -AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQBxpQ7O5Om/PzjViVrEAmH7TMUUFy2LT1NrEBf8ZYTH -EEmQ3tvHJpOIJm9w1gJeOaD3j6uWtaUTXIEUbQ6BghEbik7GT6XdYh5E3wlZ9Ft3CzfpiyDG -+ApOLlgc6zPQz4Zgydr7gC+eTGCEeD0hZNb7QR8YD+fJdXG9vVzeNIc+QbAO9rnWPwkTlhQv -3podWrlWzjU6sF9wTV7jKfEjKHJZtqvCjGYmHHcsJnY1iyinaaD5O/Uj3YUQdMmQA1aR56+6 -R9QSlxEi46JJlGznt5RLui2k2jOLTKZE/1o8xh1k2LUx5KY8eqhXC9vtYRrL8c5zd2Okh29M -UTjW5F/Hn7aBKuSFSHlYXjv42wKCZ8E528N0Sz02Hvkpk4hoW6hEGSHwp+iBDSzokza0N7LK -sBsmepolH5qagJ5LKj/7o5r+czJxwp7GcuGKaCfx5A+0xEylYZP4lxAHKjAlqbnIcbjvaMwt -fvXgfg+CqG+2umyDQ3fNipIXoZ5beBY9ReIzct3hZsqZ08nFJv0NaARGrrbZm4y+Gb6xxvIZ -41wCyizYb0oH2ck12kB18sSnGW+eQhCYdeaVi2C87cUS14rO1ZhcVpYDxe53BjX/z+TuPxNh -7tvaLYXwza6dshgJRcOSoXIX/Ee2oAss8cTeQ2gIal878HZj+8wGLKbG4g61ub4kjwAAAAIA -JGVudHJ1c3Ryb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAA -BEIwggQ+MIIDJqADAgECAgRKU4woMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9s -ZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRo -b3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkgLSBHMjAeFw0wOTA3MDcxNzI1NTRaFw0zMDEyMDcxNzU1NTRaMIG+MQswCQYD -VQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRy -dXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAt -IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlm -aWNhdGlvbiBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ALqEtnLbngxr4pnpMAGnduoyuJVBGsnaYU5Ycs/+9oJ5v3NhBgqlJ9izX9NFThxy1k4y8nKK -D/eDGdBqgIAARR6wx+eavxJXJxyjaC8Kh71qaw5eZfMcd9XUhY1wIbSzMueLotWGOQKxuNJH -zuTJScQ7p977VH1XvvDobsJ5sjoLVeJQmBYyE1wveFbBwpSz8lrkJ5qfJNfG7NCbJYLjzMLE -RcWMl3oGayoRn6kKbkg7b9vUERlC948Hv/VTX5w+9Bcs5mmsTjJMYnfqt+jluzS8GYuunFHn -t361U7EzIuVtz3A8Gvrim2e2g/SNpa9iTE3gWKxkNBID+LaNlGMkpHECAwEAAaNCMEAwDgYD -VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGpyJnrQHu995ztpUdRs -jZ+QEmarMA0GCSqGSIb3DQEBCwUAA4IBAQB5nx2WxrZ5PyKNh9OHAwRgamuaLlmJcxGsQ9H1 -E/+NOSvA8r1PcIypL+oXxAtUntQblpgzPKitYqIAdqtZaW4GHX7EuUSNmK8S1GHbChlGR/Pr -92PBQAVApdK39LWaNr+piHaIBFUEK5yHfxo3PH4tpRrY1Ileyr2sPWzYba/V83YPzTuIOCKd -bJOaxD2/ghtlP6YPXar85bIVyrWtxrw90ITo6gZysE05Mni/PhGcC6SdmiHz8JsLMHjbwdyH -Q/68Y5rKxcIcyceN/zsSWAjmtj3seixO+4OWzgw8aYdUc6RzwpP/URCsFVQB2PwFsYmhf3SD -mknX3E57ikhvi0X2AAAAAgA0aGVsbGVuaWNhY2FkZW1pY2FuZHJlc2VhcmNoaW5zdGl0dXRp -b25zZWNjcm9vdGNhMjAxNQAAAXwQWa1IAAVYLjUwOQAAAscwggLDMIICSqADAgECAgEAMAoG -CCqGSM49BAMCMIGqMQswCQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztI -ZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhv -cml0eTFEMEIGA1UEAxM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0 -aW9ucyBFQ0MgUm9vdENBIDIwMTUwHhcNMTUwNzA3MTAzNzEyWhcNNDAwNjMwMTAzNzEyWjCB -qjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNV -BAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv -b3RDQSAyMDE1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkqBB6EuChFzi+DERmYZkTgklL51B -LwquNU90lbJRZGuNa+Y/cJXwBURHpnI4UHaVAlqOriie+S1Ome8sSG9MJSno0XFb3x3BdTe0 -1/p7ekKcagpWWnxpC6qACSRsfsFGo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAdBgNVHQ4EFgQUtCILgpkkAQ6cu+QO/b/7lyCTmSowCgYIKoZIzj0EAwIDZwAwZAIw -Z84WYjiirGJFp6mVJMAaJ5wyO8DA1bqp5/gEQ1OF7lIh3p31JYM+nlhLL9dnEw4hAjAF4XUB -3mjtKh9NTAkIDexLrWQXKOd1zkVlciEXyyJBDowTmDiaVG2byuJ86gJYIpEAAAACAB50d2Nh -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAN/MIIDezCCAmOg -AwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO -LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMzWhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQG -EwJUVzESMBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU -V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQ -QeFEAcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HHK3XL -fJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeXRfwZVzsrb+RH -9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/zrX2SYgJbKdM1o5OaQ2Rg -XbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx3WxSZfmLgb4i4RxYA7qRG4kHAgMB -AAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsm -jd6LWvJPelSDGRjjCDWmujANBgkqhkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6w -QT25JmSDCi/oQMCXKCeCMErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1 -KlOy/usrBdlsXebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5s -H62Dlhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvnaspH -YcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZYiesZSLX0zzG -5Y6yU8xJzrww/nsOM5D77dIUkR8HrwAAAAIAEHR3Y2FnbG9iYWxyb290Y2EAAAF8EFmtSAAF -WC41MDkAAAVFMIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMC -VFcxEjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMTVFdD -QSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5NTlaMFExCzAJ -BgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jvb3QgQ0ExHDAaBgNV -BAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPS -nIyOt7h52yvVavKOZsTuKwEHktSz0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWR -zvAZEk2tY/XTP3VfKfChMBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2G -b3PpN0Wp8DbHzIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJ -Tibc46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2yKsi -2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCilaLOz9qC5wc0 -GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYPoA/pyJV/v1WRBXrPPRXA -b94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQABDzfuBSO6N+pjWxnkjMdwLfS7JLI -vgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcEqYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MG -z19qCkKxHh53L46g5pIOBvwFItIm4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6g -cFGn90xHNcgL1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqS -pqsnLhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WFH6vP -NOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNoRI2T9GRwoD2d -KAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+nile98FRYB/e2guyLXW3 -Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh15QaiDLxInQirqWm2BJpTGCjAu4r -7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXI -RfmswZ/ZuepiiI7E8UuDEq3mi4TWnsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWS -sT2RTyaGvWZzJBPqpK5jwa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVf -P5VhK8E7zeWzaGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer -/qmyKwbQBM0AAAACABFnbG9iYWxzaWducm9vdHI0NgAAAXwQWa1IAAVYLjUwOQAABV4wggVa -MIIDQqADAgECAhIR0ru51yMYnkBfCp0t0N8lZ9EwDQYJKoZIhvcNAQEMBQAwRjELMAkGA1UE -BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24g -Um9vdCBSNDYwHhcNMTkwMzIwMDAwMDAwWhcNNDYwMzIwMDAwMDAwWjBGMQswCQYDVQQGEwJC -RTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEcMBoGA1UEAxMTR2xvYmFsU2lnbiBSb290 -IFI0NjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKysdDLos2Xluu1DJh2miQ1F -uimIsqQdY93TwSwJV4k5oVXpZzR3DG7kVR1SJdITa17hHam3fYkyXw2enyx6Y2BAH6awtniP -mVSWCFiu5Aa8YgUCFr+vqCMDtpQPvG5swsvVprsM6fbBAvsh3mbdF6t0Qu/wdC8l9OprVVuQ -253fXocKQPutGWv798pgiN7awY/WrtV/1DyD7tcWTINFM2sn0IbQHC1r86t98YWp9SjSre/z -hEsch/wTozpyoloRK9YncSftgS1tZoGSh7QbWHrMPwr6Rk9NeFz4K0jjBITLXfa0arNl/EKe -USYjIMs9FPmB7WUWAE8aZJdmCM+Me+MrwJ35FPIb8VZqFr8shYXNeDia60JqAjQYgxdOlFb4 -toK185bdPfO+fyB3PnsZI2ss1HJzQ1d94PjXaU8XNgT5wJBgN0Xe5gzYdI2unKJtdF1Cvgb1 -2WRuAhCsibBMOwdNQH4kxYqYgnmOpKeCII0j+idxyd/GQXSgTfaRFtxGjF8pYzFZcQzYb8K2 -Mn375l1Tpn4V/Lt1fF3s+PYXHOzHaxnL83vwKwel2Wx5VHZsnRymbg7peQyoI2qj3xswMZ+x -VHv+astmqtxl0KKeSpoHIWuBj9vEWfreIsAEnOOqWzaT6D29eqGdC3axC8ed/c+YqAbC+Cqj -oYOgtyVypQLjAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBQDXKtzgYeozLCm1ZTiNpZJ/wWZLDANBgkqhkiG9w0BAQwFAAOCAgEAfHjs9gIs -u1t+kitdOdy+2B2iQjNN+e+kKjtEaR6s2UWjTjyn2CRRslQck07E73uThWAm6glI4PW7x+lo -0rtqMXHMea4RqPCZ/eUfvC+ozFfrdsQhpkdTVU1ovwWk7tcmq2LaQzdL4sa15bKDGTrH09tN -ngh68+7PPmL7rOhgzNHHoVyDRcRFzPMXaxTJBAI+0iSmeekezqLnwVkVnx3iS5o+n3YILWvY -ulcU2oPq/oxV6dBOqcx3MbFEEXpcsT7TFEUVGGIkE9LLTc5cg8E28hC1DohtuOFWn4nelmY5 -R2Qsbk2uYnu/YHQZuFaskqwWMu2taFX+mLrTNN70yWHDDob2S4Rg7g17tTJYeZFVLIFDs3Qf -eqolnh3XoYu5zUIuBKRmg02JNbZsqDZKeSF4ItBCvNFAMZChvgTPymft9fCA02DJgyoiBdAH -O1K/DJ6qK/m75h+PJbqFjRceAv5dUARXz/4tvO9cwBqrtp8kxt9zaEiQLBT0P1Ia5NLLFMNh -ac/i+RjFujOfFKMEXblx97WU2PYzwVrBNIt8m92TOucTonBhn6+P69jFdfgzZtR0Zzo3d5zn -3aQPdkNmikPyn/sMQnhj0eIPb3vUoT10l4W3SDlB1iD80Dqz+uhvxIq6cTe+i5exeDFPs+e2 -AxPOVJ2uJVnMfzVfCPdARTF4KnoAAAACABdiYWx0aW1vcmVjeWJlcnRydXN0cm9vdAAAAXwQ -Wa1IAAVYLjUwOQAAA3swggN3MIICX6ADAgECAgQCAAC5MA0GCSqGSIb3DQEBBQUAMFoxCzAJ -BgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAg -BgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3QwHhcNMDAwNTEyMTg0NjAwWhcNMjUw -NTEyMjM1OTAwWjBaMQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQL -EwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowS7IquYPVfoJnKatXnUKeLh6JWAsbDjW44r -KZpk36Fd7bAJBW3bKC7OYqJi/rSI2hLrOOshncBBKwFSe4h30xyPx7q5iLVqCedz6BFAp9HM -ymKNLeWPC6ZQ0qhQwyjq9aslh4qalhypZ7g/DNX3+VITL8Ib1XBw8I/AEsoGy5rh2cozenfW -+Oy58WhEQkgT0sDCpK5eYP62pgX8tN0HWQLUWRiYY/WlY+CQDH1dsgZ684Xq69QDrl6EPl// -Fe1pvPk5NnJ1z3dSTfPJkCy5PeXJI1M/HySYIVwHmSm9xjrs526GOmuXdGMzvWgYMfB4jXa/ -/J6OXSqGp02Q3CcaOQIDAQABo0UwQzAdBgNVHQ4EFgQU5Z1ZMIJHWMys+ghUNoZ7OrUETfAw -EgYDVR0TAQH/BAgwBgEB/wIBAzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEB -AIUMXY7kb1FoQgWg3btPJyWEA733ZP0t1zDjpBAX69opKbZ5P3b2GRMjuBAK+Vik1GFwvQRh -ahKKF9UKvcW8MHzW6QwljYZAT+zMo344xjcRT+3daDGOTNKzAXTuvnVeB0gaf3D/FlyEwHmF -uAX9f75lEaMPwAK0+FI3OQTVqTF6GL+gKvQSmfejRYLjPF71nZ61yJ58Lsiknk4IFEtt/XBt -axpjvWTmH7fO8PKfLrsbt/JQiHOSwuLjFo2aMgKrjhjd6RAR7n41q5CvPjCUetAzPadlD/X8 -jp5iz0dELAFdux21MtJH0jgu0P6B3DJqHrXuPNX854EdGcMkQupjOakAAAACABNidXlwYXNz -Y2xhc3Mycm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNBoAMCAQICAQIwDQYJKoZI -hvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3 -MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTAeFw0xMDEwMjYwODM4MDNaFw00 -MDEwMjYwODM4MDNaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2 -MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAyIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDXx173wQfUd/tDIfT09Wnk7jIB26OGH+RZDbrndYNS6+ocYRVI -ux0HyoyusNyWnerDYJKGgihznFYG/0tk8AwqN0m15c8MfO7xSrtzMGXz1S+Dtn7j5/Weq2D5 -0/GdknSK5ByWrFuA6bX0MYejUfzHfqFvjlN31JfBVTOSPhgvddSthknLla9UBmzYBhONW//h -JhlZwCS6gXF5kERQaCSUX7izEfEpQWGjQcsjNtXB8TJQEE5/9IaT7ITTjrxLv1wBTgc93BSK -lAqk6nP7C1HoEwcY+g7xK9FUFX084fe0GUJnYl534KJV7LbZaRfVOq9E7UrFnuR6J3zlddeq -yyXn32sK2w9Nk06ooM17LvJZAWq3DbgHgX6LOBs45gpXmT3uIeij9QwW3YvsNI6cKhwAFReN -aIPScJ8YCM0RaNXJa1LNxEaP3LXz2FdzHumUOQS/09443rRT7Gkcon7Ej+QbcK3yovn79xZk -ZmmfSVGi4hUYZwZKf9VstU2zM+Bh612+6ZgPMtcdSzwuWgFSkQny3+qN2AZAY6oR5P7DN54U -Uj/04szyYZPR/Wdr11Kuv2irQEOgVzVTePBT+GFCB2TG12+bTDgNY6xirzaLonMKDfUhvXSq -TepyA0nbx18dYmPH/d2R7DPu9W20bjBo3sjWJrB1Xnu0ByCYoXYyuE1sTwIDAQABo0IwQDAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTJgHfgYpKC9Uac87r3TMPeuKOtOTAOBgNVHQ8B -Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAFNfIfW6sDpSOSySsGwAye/OIO8G8pae6aR0 -f3oW/Lf1tvsVGz+rpsByXRCxce68T+OtrANtLnEur8TjraO9DBGntP9KsnsQEB+nV0GywK70 -LFnWRxCI8yFRKTDKYIavRqsd7TpbsJTeRONBCKLB7B3W/U+21kfQFAvK5sq1e3d+QR9eg8e2 -jDmWsD+WgUFvYJDi6Pn7InHZfbM9Rr+0hK+QHA+PEmqv7+4eeq4CSooXK3b+rFSJJCxPP7ay -p06MqJGX+ynGe1wtuctmtreoWxJRhbUJfmJ4cP6pamC2HQ55DP3K6iSAcsOXP/J3q0MiCsfr -tgyEgiyAa0GKCMDrpWvfmRLLitVegAyR4CYINkjF+jgRNf8lgy3yer/a/Y7+pctFLB/EiFOu -dw7ZmnbFjiwdo7rV7DKuwKqs99F6TevUB+JI9yKOsKSfas6OsrJg9KMi0CPrlFp6ad0Pv0BX -rGtZUNmjmeFu/o0BeScjFd6SnXsJTVrnS0gwWhjmCm3mj+DSu+bffG4hgsFoOU20mFhmYsxK -kF7D+icEsXkVdJnMvq0g3iZgHOtWUaaj6uSjP6f/YdzxWk1sMiND7qyo7u5KEgk8XXHCvnn6 -wodoHQv9XGnMBtCafVSZKsk5GhmvSypD82NdWljiL+Md5KnW0ArQnr/XgQnxyccmDayYFlag -AAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJKMIICRjCC -Ac2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQswCQYDVQQGEwJVUzEV -MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYD -VQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwHhcNMTMwODAxMTIwMDAwWhcNMzgw -MTE1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD -VQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv -b3QgRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8Q -dJ+1YlJfZn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q -RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG -MB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQDAwNnADBkAjAlpIFF -AmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlYJjZ91eQ0hjkCMHw2U/Aw5WJj -OpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv6pZjamVFkpUBtAAAAAIAFmNlcnR1bXRy -dXN0ZWRuZXR3b3JrY2EAAAF8EFmtSAAFWC41MDkAAAO/MIIDuzCCAqOgAwIBAgIDBETAMA0G -CSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xv -Z2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg -BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkx -MjMxMTIwNzM3WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dp -ZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD -VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rHUV+rpDKmYYe2bg+G0jAC -l/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LMTXPb865Px1bVWqeWifrzq2jUI4ZZ -J88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVUBBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKk -nvISjFH4fOQtf/WsX+sWn7Et0brMkUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv -+XLTOcr+H9g0cvW0QM8xAcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAO -BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15ysHhE -49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfLI9MA4GxWL+Fp -DQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8J9RHjboNRhx3zxSkHLmk -McScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qYVoNzcOSGGtIxQbovvi0TWnZvTuhO -gQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/no -nFWIGUbWtzT1fs45mtk48VH3TywAAAACABdkaWdpY2VydGFzc3VyZWRpZHJvb3RnMgAAAXwQ -Wa1IAAVYLjUwOQAAA5owggOWMIICfqADAgECAhALkxw61jln6mcjv8OvmvRLMA0GCSqGSIb3 -DQEBCwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT -EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBH -MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYD -VQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMT -G0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBANnnKC9SPzZySYiTNPP4ah4xVICfrVRBtUfflqjUr4AtuQrPdf2JpX0k+uMiDCu8 -lRcLM78ZTUEGkAC9DE0Q/ge15xxuIlUxZZe90xfSHmLz2+psUIw/hAyWz7fLA+DKbaEUTBuJ -3e0AsFJ8r5FssTgT0ekSCMAAsBwrEdp3cDabrs55h9yCcOYJdHBVaa+jaJ+/3bZ5s/KdcClV -9Kv/lWHzyUBvHdG+k7vTiCq7nb9yWlZxOz/U89EK/ijvo+7Zma8D049gt/KSobG9iYkfMM3D -pi5iM64WAndEWueBCjynRC55uD8EvFygh+Ebr1GOzews+vj+bfA6fKqL5GeVMY0CAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFM7DSrmZVfK4 -22C/qX69VrWXNqfWMA0GCSqGSIb3DQEBCwUAA4IBAQDKpVWM48hBbmknp3UR7zyGNm/SncZ4 -OB1plqKSaS44bJt9BNSJpbExN4rJIcyrbM2LHJrWv0jSMmbBisDzLzrvwOPUkYbRUOMD23N3 -b0o5U+3eJse1fa8rQtF1YuNKKwLHUEvgaeKWbA5EZhBEj60F6/h5rKYb6Dc0nVPJYaqiUq9K -cBaGwjrIsRNwNtjP7vQKNNVbTP0HnKK62QFyXPNNwd0OsRwNxGO+rfQU+4nsokEOTMzIV0DQ -bgOqzQyOiZmZbPA8MK8432+8o74pICerdP8TInjel1JVHoO1VCAD7q7AT1beN8zDf6oEJ7vT -d7hi2xd8nCgiE3Nszyb1iinnAAAAAgAKaXNyZ3Jvb3R4MQAAAXwQWa1IAAVYLjUwOQAABW8w -ggVrMIIDU6ADAgECAhEAghDPsNJA41lEY+C7Y4KLADANBgkqhkiG9w0BAQsFADBPMQswCQYD -VQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTAT -BgNVBAMTDElTUkcgUm9vdCBYMTAeFw0xNTA2MDQxMTA0MzhaFw0zNTA2MDQxMTA0MzhaME8x -CzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNlYXJjaCBHcm91 -cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9 -FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJL -j7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZP -wo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu -4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1 -nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5o -nX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8F -sj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLM -ur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULU -ItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqG -SIb3DQEBCwUAA4ICAQBVH1ipvLKoUNAMsdgaaSAnKQisYXVcim74guVpL9X2Vku5uHMQWdMh -l37nTHH7stJgrTmoC+oXIVaF8VAOWevO4FnpuskV74adj4SA9uTpkZDcF5tiG0XwZpXSfG/C -6jvvH8/L1q4n8amwyK79fX6a+iIE6//Zf+qRKyKxFw6P8oo0W1jY/AHJVLm4JsyKiDOJTC2E -PILf7pZXBbosu/fEt8dOO4K+Mcgic3OS0cKApDk5EDMjgkw8n4ayVZgdvimGjCKbnuJrO1c6 -gnBN3AnHicsKB01s6F2Oye/Oq8e7tStORdZK0CbM5XLKCGqlleMVofek7cksX6X7/6woAi6+ -13u743F7kBbTB15GU3w3B0KM08SWnNWZtSrglRqASK5MOQfOzEekUpUrurj7rdIzU33lHU1t -1aGxx0Jv5kAnNVyjKLcHjeeNM5DnI5/7UJx5bEbVtBWzlm5+mwyWOrhSLT/WW+H7CMKE/iSo -o4narGrhGCqxqENhW9Mf3DuNdvIt6I113xczbD1T+3vLQV//3KLQYTjhlrisXYs313XVM8CZ -Ea6dQcFydYS+AkFCX2ckSJTRmye+Bz+5uE+BdFHherftnSPivuDVKAQTPDEDnt16bI/GBxjG -f95Hjj8ongQGz6VUNHe97Imb6RdD31vbX/6OHleizUCdfmIi2t4YJwAAAAIAGXVjYWV4dGVu -ZGVkdmFsaWRhdGlvbnJvb3QAAAF8EFmtSAAFWC41MDkAAAVeMIIFWjCCA0KgAwIBAgIQT9Ir -j/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwI -VW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUw -MzEzMDAwMDAwWhcNMzgxMjMxMDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5p -VHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog -D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvSsPGP2KxF -Rv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aopO2z6+I9tTcg1367r -3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dksHYf5BA1FxvyDrFspCqjc/wJ -Hx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfic0CTuwjRP+H8C5SzJe98ptfRr5//lpr1 -kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpjVMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhT -A8ykADNkUVkLo4KRel7sFsLzKuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fV -UbGAIAEBtHoIppB/TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfb -lLkWU41Gsx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs -1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQDfwIDAQAB -o0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaNl8xCFWQpN5smLNb7rhVpLGsa -GvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAURap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZL -cpHIojG5qtr8nR/zXUACE/xOHAbKsxSQVBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8 -dGT9cZr4QQehzZHkPJrgmzI5c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC7 -8zhNLJA5wA3CXWvp4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliR -n+/4Qh8st2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj -2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWOvpaQXUJX -xPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2CxR9GUeOcGMyNm43s -Set1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmxcmtpzyKEC2IPrNkZAJSidjzU -LZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbMfjKaiJUINlK73nZfdklJrX+9ZSCyycEr -dhh2n1axAAAAAgAGZWMtYWNjAAABfBBZrUgABVguNTA5AAAFWjCCBVYwggQ+oAMCAQICEO4r -PevUId4UqGKsBPPdxAEwDQYJKoZIhvcNAQEFBQAwgfMxCzAJBgNVBAYTAkVTMTswOQYDVQQK -EzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTEo -MCYGA1UECxMfU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbzE1MDMGA1UECxMsVmVn -ZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgKGMpMDMxNTAzBgNVBAsTLEpl -cmFycXVpYSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjaW8gQ2F0YWxhbmVzMQ8wDQYDVQQDEwZF -Qy1BQ0MwHhcNMDMwMTA3MjMwMDAwWhcNMzEwMTA3MjI1OTU5WjCB8zELMAkGA1UEBhMCRVMx -OzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0wODAx -MTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD -VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMG -A1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzAN -BgNVBAMTBkVDLUFDQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMix0/il0KV -iEeDQPYdF/ODcyQeUfOYisOSuP9AkAVwh2DJAKm1lGUZIhUXwkNsZkSaDQQ+OW+lS3qqY7eK -RJ3ZY5GEZuAoD7pC426O9xQnk2nukQ6jXw6x62aick8SE4Zlej7bTwf0pwlg2jpCmceyf7MW -lRzH+TS1lIXVmV6gSKB+5xdluKJ1uB7z5UJ9r+3zikhkXYIUk9jA5P+zUHLydvazXUJQedCU -PmsMAL7Yaw5OKuw+0syCohhlMxN3nppdGhPYw9s9yJd67nDtp+Z823HPLZRi323W9Ti+P6WF -Chm4qNgJdUJwxOrvyw7INKgSIpgMuBOUtkvs8NCQ5ycCAwEAAaOB4zCB4DAdBgNVHREEFjAU -gRJlY19hY2NAY2F0Y2VydC5uZXQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -HQYDVR0OBBYEFKDDi0SqN6VFv5eAWtHxeKKb6V2NMH8GA1UdIAR4MHYwdAYLKwYBBAH1eAED -AQowZTAsBggrBgEFBQcCARYgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwwNQYI -KwYBBQUHAgIwKRonVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgMA0G -CSqGSIb3DQEBBQUAA4IBAQCgSFuCAfZNSLg5VTWcgHpTmdVa/7FxO8w5CZRe1trvvgFbXdMe -2P19T82gQeA0k7/L4oacN5KQVhzc6ykF5cSexzXfigzNxSFD6aqI5TXAGUJjWgJepEgYOoVv -3J28P52cwYe4emEI6XcLf3Cret3ZlyxkHoW/vHSWocN6EuwMGm6DDDzockaf+0jVXpfmsaH4 -5O9GJZScidtpOL7sXA5Wx2VR5VCIiL9C1Ss95fm6ni6zyvRzkgILvkxm6yD+ucu1mX/mthP6 -yktN2e5TRgY7xk6tk1qBfmwqS2oFRYzyIaQxkIdsZZydpWCVOlJ/9dGrCG7z7lv5iD1+uG9u -A+RCAAAAAgAmc3NsLmNvbWV2cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHllY2MAAAF8EFmt -SAAFWC41MDkAAAKYMIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkG -A1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T -U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgxNTIzWjB/MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNvbSBFViBSb290IENlcnRpZmljYXRpb24g -QXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCC -ogbR8pKGYfL2IWjKAMTH6kMAVIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1 -OIzfzZ/ZLg1KthkuWnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG2 -2XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX -5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZytRrJPOw -PYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mmm7I1HrrW9zzR -HM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGNh -AAABfBBZrUgABVguNTA5AAADszCCA68wggKXoAMCAQICEAg74FaQQkaxoXVqyVmRx0owDQYJ -KoZIhvcNAQEFBQAwYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG -A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3Qg -Q0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMG -A1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQD -ExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAOI74RFy3qik06NXqlCijwt3kMmipe4SzpZbAQkgzAGTp04wt1P3Q8RpAFed4o0i3YcG -QACBCc7OG4O/3807cUbi1mbHBbN2JxaPe54elX3ut0ijCNrWr3oMOQZlf0pdH7wX+Ku+7ijX -dH96eJlZhWhuXCMyS79OwOhabeNwv3cQv/wB9oXZqEQQWDKpdRjV0aK+R+InavSaM/hJCGCL -1F+0OoS/oapKTH0+z09fbHZeoEs3kZ7cIuZtzhQajmrL/s2zFGQXx1spnjK/8u760wtC1Ku3 -QTLaDNTv+IHVu41YP7Ub6EkoonDaMQTd97IW8kwKTgeo7Uo9XrV/o5DDrycCAwEAAaNjMGEw -DgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAPeUDVW0Uy7ZvCj -4hsbw5eyPdFVMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB -BQUAA4IBAQDLnDeqSBMSCvrdRJxPUrD0364E9Xl5CKMkGPxLK4TALbnVx/70wR9Yy7htnHp0 -55gpqxG143Cgoc1MiJmTjJFw4qsPHL6Tqf9j1eQHYNOjv51bCfHVjuNT9I5j+j+n27Rm32Jm -1tFuQY3yLbXqd0qfnVjiK1nAQCPtLSiCRT55VJImmOCASKg37/DWeWAW3qzoDs1urEQXOC9J -2uFFPiq5NlPPOlAG9y7oxFdJbGEhGNUErXg8LDqAa6frrxUU6diJwbk4bOKRbIr/ZLl3JVcw -wBsko+Hc6d9HfLW0JAgFMOwtvQu/Rb9Quanz65gBEq3IiMaYNF+NCjzG6dWVlW3eAAAAAgAY -ZC10cnVzdHJvb3RjbGFzczNjYTIyMDA5AAABfBBZrUgABVguNTA5AAAENzCCBDMwggMboAMC -AQICAwmD8zANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1UcnVz -dCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwHhcNMDkx -MTA1MDgzNTU4WhcNMjkxMTA1MDgzNTU4WjBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1U -cnVzdCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTskrPekfvdZsj+jov1lBFiTU6xmvb/tsA -aKjgAxEdN1AIn01KaJQ1s1PRlGOnIFav3lF47Co980hIUD4K30ZViydtwxBNDZFSQ9iH4F1O -NrUhyl85QARfW37Mo8YrqUAe2TaE1kjzkh40RiAkwaRRjkoa71A/aV0Zf0XDxwGPUckj6HKu -tLxWCX8SyxyxrymQCslVzA/TtBrtRzVaSu2ccwQh0Kq9DBO1AMombMRrDJRalZTaUJrx/6Ur -ZjGkyTig3x0fuAku86foZ1KrlR/gRj7YpMPKWsUxgOhImp+Uaf4Z3dhzfIHKlt6O7bMyBWWE -NObm/VcQtV92vy+wEA3FAgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW -BBT92hTEnzDeIb0eQjn8q2MjSeDxhDAOBgNVHQ8BAf8EBAMCAQYwgdMGA1UdHwSByzCByDCB -gKB+oHyGemxkYXA6Ly9kaXJlY3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3Ql -MjBDbGFzcyUyMDMlMjBDQSUyMDIlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0 -aWZpY2F0ZXJldm9jYXRpb25saXN0MEOgQaA/hj1odHRwOi8vd3d3LmQtdHJ1c3QubmV0L2Ny -bC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yXzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUAA4IB -AQB/l9swyN+knH0heoBwzhQSaYgUlWBEAayy6TBPm1DCZth+jTC1cDHp4mnH83DbIBWG0A3w -vqwBdYTOfp9Nv7dgO5zzyh3iXmjYo52X5UBg0jYh/tC0uBfadKN/1N+wmAKsb2trLCUkcqFl -7iVa5eYy5/Lfq0n685BpI9sE2edcWPxl1Je+zPwuCswlKjUE+GCRFXU9Qf8jHxnIbOuCUwSm -5EwiTY2Mus5bc+xkVFBt0ZxV+2nDNsOMvDyFpmsKJg3gk5hgrn7GJJeKYV+RjmaSCYc2zYub -LT72UdRQ1FkovYPyzCh7U4Zt2CaIcNfqkc0+ucrAkG5axl50Zddc/qPiAAAAAgAsc3RhcmZp -ZWxkc2VydmljZXNyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIAAAF8EFmtSAAFWC41MDkA -AAPzMIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAO -BgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVs -ZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290 -IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz -NTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290 -dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQD -EzJTdGFyZmllbGQgU2VydmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58g -E20pOsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpW -riu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1KTs9DkTvnVtYA -cMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufehRhJfGZOozptqbXuNC66 -DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFBrMnUVN+HL8cisibMn1lUaJ/8 -viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IB -AQBLNqaEd2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSd -HynVv/heyNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdBy -Pq1zqwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkdiEDP -fUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jza -YyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6AAAAAgAOY2VydGln -bmFyb290Y2EAAAF8EFmtSAAFWC41MDkAAAZfMIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZB -bcTjpuEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3Rp -czEcMBoGA1UECwwTMDAwMiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9v -dCBDQTAeFw0xMzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIw -EAYDVQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAXBgNV -BAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDN -GDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sOty3tRQgXstmzy9YXUnIo -245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9MCiBtnyN6tMbaLOQdLNyzKNAT8kxO -AkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPuI9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJ -hFwLrN1CTivngqIkicuQstDuI7pmTLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16 -XdG+RCYyKfHx9WzMfgIhC59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQw -FsWq4NYKpkDfePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBB -e3YzIoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWTCo/1 -VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1kJWumIWmbat10 -TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5hwjCxAnxl4YqKE3idMDa -xIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IBGjCCARYwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1Ud -IwQYMBaAFBiHVuBud+4kNTxOc5of1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsG -AQUFBwIBFiNodHRwczovL3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBk -MC+gLaArhilodHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+g -LYYraHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkqhkiG -9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L6btdPrtcPbEo -/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRGHVyH41neQtGbqH6mid2P -HMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH60BGM+RFq7q89w1DTj18zeTyGqHNF -kIwgtnJzFyO+B2XleJINugHA64wcZr+shncBlA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6p -K0xXeXpXIs/NX2NGjVxZOob4Mkdio2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hik -LyhF3HqgiIZd8zvn/yk1gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHb -ugRqh5jnxV/vfaci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3 -zM63Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayhjWZS -aX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw3kAP+HwV96LO -PNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0AAAACABNhdG9zdHJ1c3Rl -ZHJvb3QyMDExAAABfBBZrUgABVguNTA5AAADezCCA3cwggJfoAMCAQICCFwzy2IsX7MyMA0G -CSqGSIb3DQEBCwUAMDwxHjAcBgNVBAMMFUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UE -CgwEQXRvczELMAkGA1UEBhMCREUwHhcNMTEwNzA3MTQ1ODMwWhcNMzAxMjMxMjM1OTU5WjA8 -MR4wHAYDVQQDDBVBdG9zIFRydXN0ZWRSb290IDIwMTExDTALBgNVBAoMBEF0b3MxCzAJBgNV -BAYTAkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYU7l28qOy47z6bzKTW+ -zxisPqrZ+E2gPhpHubya3/L+zD5H6HqWwiSONfSpDPyC/W3BcmInvepr6+eKzFQ+kFDPgNSV -++i1gtQUxbapVSVX27FQ9rBgZFl6ac8Dt28Nvso+b3Ry6qowKnNivkmRYcgR/g4DKvdqINwC -FQ1eFWr844LBtcWdZAlso1mYByfHG5YrYXRxbEPx9zWJEOCe7FWhNyKihwQFLEd9tBy5Yilm -KMq34ZP1pJQDmblwhbXmSOqNUPzZ3sxvBw7dC3KdgDAWB5U/KA79xXVPU9Z0mrQkLo4Ckc92 -xZseVXSceCGx8C3xC5/C1ZYYH/BUInqMBwIDAQABo30wezAdBgNVHQ4EFgQUp6UGsSymCWDu -0ZfpcK68Oxls2yEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSnpQaxLKYJYO7Rl+lw -rrw7GWzbITAYBgNVHSAEETAPMA0GCysGAQQBsC0DBAEBMA4GA1UdDwEB/wQEAwIBhjANBgkq -hkiG9w0BAQsFAAOCAQEAJnc025RIhipBnSw+BpBgxIysC1S4H7l70wc55Po+e7I9Tu2fI72X -82tc7+79QKbfoZOhCoas7yDQeQG9ePcZ2CQxNAQBproVmsMn3NhPD8wYY/+ZDw6Ra3UW4SH8 -2CbHR7emz1hycX664U2VRzvJr22htMHsifa0Dzi14mTcJc+m2+uaXJmhxQje/eba1dZaRQzE -t8K1FO+0Ef8OFbX19dvGvetap/BWIqk8ZVTGFai9hp7Ng5ZoenGBieEL4eoRG2gIzGme7J5B -nkQyJnrihwpxPevkWqTS28XNxt5gf7nzT0SS7yq3GD6nGdkLfbE3QUKwumAd8v4JEbDwh3un -nQAAAAIAE2NlcnR1bXRydXN0ZWRyb290Y2EAAAF8EFmtSAAFWC41MDkAAAXEMIIFwDCCA6ig -AwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQGEwJQTDEh -MB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy -dGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0Ew -HhcNMTgwMzE2MTIxMDEzWhcNNDMwMzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UE -ChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZn0EG -ze2jusDbCSzBfN8pfktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/qp1x4EaTByIVc -JdPTsuclzxFUl6s1wB52HO8AU5853BSlLCIls3Jy/I2z5T4IHhQqNwuIPMqw9MjCoa68wb4p -Z1Xi/K1ZXP69VyywkI3C7Te2fJmItdUDmj0VDT06qKhF8JVOJVkdzZhpu9PMMsmN74H+rX2J -u7pgE8pllWeg8xn2A1bUatMn4qGtg/BKEiJ3HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfj -vqm6f1bxJAPXsiEodg42MEx51UGamqi4NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87 -Sst4WmsXXw3Hw09Omiqi7VdNIuJGmj8PkTQkfVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkE -th2+dv5yXMSFytKAQd8FqKPVhJBPC/PgP5sZ0jeJP/J7UhyM9uH3PAeXjA6iWYEMspA90+NZ -Ru0PqafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSYnjYJdmZm/Bo/6khUHL4wvYBQv3y1 -zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHKHRzQ+8S1h9E6Tsd2tTVItQID -AQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1vALTn04uSNn5YFSqxLNP -+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIBAEii1QALLtA/vBzVtVRJHlpr -9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4WxmB82M+w85bj/UvXgF2Ez8sALnNllI5SW0E -TsXpD4YN4fqzX4IS8TrOZgYkNCvozMrnadyHncI013nR03e4qllY/p0m+jiGPp2Kh2RX5Rc6 -4vmNueMzeMGQ2Ljdt4NR5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8CYyq -OhNf6DR5UMEQGfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA -4kZf5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq0Uc9 -NneoWWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7DP78v3DSk+ysh -zWePS/Tj6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTMqJZ9ZPskWkoDbGs4xugD -Q5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP0ISVoDwUQwbKytu4QTbaakRnh6+v -40URFWkIsr4WOZckbxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyR -VJ12AMXDuDjbAAAAAgAaaWRlbnRydXN0Y29tbWVyY2lhbHJvb3RjYTEAAAF8EFmtSAAFWC41 -MDkAAAVkMIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCn -UBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZsh -q0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN -2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9 -t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi -T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysj -CiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPC -TY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHq -o6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZO -lqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6 -aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcN -AQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH -6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqa -s6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cnd -JZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7v -mrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0 -jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpC -dNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyq -orkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0 -K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A -7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6HAAAAAgAbc3RhYXRkZXJuZWRl -cmxhbmRlbmV2cm9vdGNhAAABfBBZrUgABVguNTA5AAAFdDCCBXAwggNYoAMCAQICBACYlo0w -DQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRl -cmxhbmRlbjEpMCcGA1UEAwwgU3RhYXQgZGVyIE5lZGVybGFuZGVuIEVWIFJvb3QgQ0EwHhcN -MTAxMjA4MTExOTI5WhcNMjIxMjA4MTExMDI4WjBYMQswCQYDVQQGEwJOTDEeMBwGA1UECgwV -U3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -RVYgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPHfon5JEs60jOD -NSxp7NwJpONRqCUrebgIPeCRuoSFxoWkyubJLlOkySQe/VVmcV0sxWBoBLfZwlImOIik1jtA -psLNP82Yk7NUFFiWVdVQ/oatpGN/XIf2juYnkmcXkgIDLNzWZnTt3Wf/wWGNY08Pm20XMCbv -q9IfEKD5xX8WaYEDR+0eaI1yoU2yJsa6bF9t1q/RsROOqa3zXml1Jhg+QSshf+6LXQcGnUPE -KQor/Co+hss8gzr5yQ3axZnivHhBM3bhvy9d5aSYUAwV3eD6nH84aNCypnqn0TG9fopYJ0Oz -ujOR06eYFVya5tMPddn8QZiXPqol24+SLrB7DF/xY6k3+Zt1aUwoJiXa1fIScEVV499zXjf1 -IWyQjjVaydMj69PAvnisQihYZqVGbXAC1xD5S1T8XYZKh89/ykWsEVq1IFGNL4hHlznAz7rA -QgFAmUghC2un0v2W1dG+Rp1J4AumoCJOONDBPDC8cI8sdczQxYxROz2UCGQmYX25w2WPFJwh -0Kr9F3IDj72bjOZeU565ne+Cu+G84nJBWyGU00U3lNHfCTld5yOqmh3KbagKhoWKgr5CB9by -OIJz2odb5TzTnj6nO570A7P58X0TdAL/u6Hl+gB5HKZmQYhcYFemLgnEuv2az6cfQMO7zFoK -VUs7OHZRuGOLhJQW5lbzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgEGMB0GA1UdDgQWBBT+qwCQmJ4k/KnMGor7J7i/MG6oOzANBgkqhkiG9w0BAQsFAAOCAgEA -z3csbla+TrO2hACUq0fJDdJ2x4afHQfTtrS7CHivadILSd4zxaytwogCfQa3NQLBYMm/xOiU -3tTTqRMlWv5uoq59Bdx982zwfqaN7tnXzlgX6KkprnNIh+ebym4poWRfGRP3rgYQ/1HGm01V -JU+TmRABU3XxE87HpkFB0r+IpX9F/Ky4pbUzDILE+wf2auUlhF8GysGGORHbWM13OyzCTA9e -muPwqz5hG1AkwsD08RnwESm2pRgCm9djTHCMR6MDQ1y5XUagDW//WY6+3Z9yw1sr34xbzuUM -RmySsgqjTFRCGBUSGL3a/Lp0bv/BtqBk2KlfVa6fXGp2lthzZ4f7TX9c7mnKcxD7iqn9nr02 -OElJh/QOFPDph7g/p096Wo551JPku2hShKxs6fOYcFVyMvk0qytJtc0gYuQ6emdjq5bcba6X -7PyfdlaILmbPW7bJpLDXBbrhJy+TuyYqopOwG/OOvh1Ao7k2jz6CGhpeiOpQ+Fnig0YpC+NE -XOGVtmmQmhRvl66Bz2jvmZq+tefhf/j6E0cWTMxtCEDni3hvUIJEUD9mBoqrQ4RWSg8gLYYO -9dLb0nqKS82l6E7xXiYlAVkjoH7S9n4hV9cnvBVXTKRGweCDHgxMTR9PBhni+aj0OoKhsnlD -edatb3onkAOk6iSHP9m92enyX1BJHO7s1y4AAAACACV0dWJpdGFra2FtdXNtc3Nsa29rc2Vy -dGlmaWthc2ktc3VydW0xAAABfBBZrUgABVguNTA5AAAEZzCCBGMwggNLoAMCAQICAQEwDQYJ -KoZIhvcNAQELBQAwgdIxCzAJBgNVBAYTAlRSMRgwFgYDVQQHEw9HZWJ6ZSAtIEtvY2FlbGkx -QjBABgNVBAoTOVR1cmtpeWUgQmlsaW1zZWwgdmUgVGVrbm9sb2ppayBBcmFzdGlybWEgS3Vy -dW11IC0gVFVCSVRBSzEtMCsGA1UECxMkS2FtdSBTZXJ0aWZpa2FzeW9uIE1lcmtlemkgLSBL -YW11IFNNMTYwNAYDVQQDEy1UVUJJVEFLIEthbXUgU00gU1NMIEtvayBTZXJ0aWZpa2FzaSAt -IFN1cnVtIDEwHhcNMTMxMTI1MDgyNTU1WhcNNDMxMDI1MDgyNTU1WjCB0jELMAkGA1UEBhMC -VFIxGDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxpbXNl -bCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0wKwYDVQQLEyRL -YW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0BgNVBAMTLVRVQklUQUsg -S2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3VydW0gMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK91MDOqu2vTmSwSN4TZjXuXgNNu5/+bUJU+kJVWQtcZfCaEjZL6 -AR06D+JkOLeMvOiI+Yskqy6j9TfkQI4YJXmDdR87/2yoxcZW+LTtikSjq2xM/B3Q3O9ovc/k -qs7wVfeiNNSDazd8HML+tQPsV868tLXF7QAPUzcqTfRPDIP7hs/L/oxOvYf5p4shV5x63wNn -iSydl2GnELhVkH8OLSc4dN/n/dpOEuNNFSICyODg/A+titfJVFDMOw/KFoCE0FFWw45Wf4ki -My/mhQq9pagbNt7T3CxtO8cTvVkjLOblpPfYC+3qkEBEqJW7k9XQgDS2RngOHwCTRuHu6fns -TxcCAwEAAaNCMEAwHQYDVR0OBBYEFGU/x4qGxjzdPFRcNfg67VIMR1fIMA4GA1UdDwEB/wQE -AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqP+HxMo6u4ZhcS17P -ax5qCdIiqRLHXld9c1ZkgIR6k+QJuRDNnyon4QB3vkjINaiBn+S4LMl/DrDSSzdd6rnVC140 -vfRzKcPtJhWcfghTiliN0Eso38Gz3yDz+ePjOt/MnJTYTk/Daxe393LorWYztSVTq+D4TKmd -/fINuq652arGa/mTu66ruJc8Axq6Q8aWuUVyOLOnoZY9kXt+wCFTTIft8gtUlVGT1SKlDYrx -kw4+VA6w2MlO3PIxMlbqZPnqtZ0WZkJy83/TsTFD/KSOF/FtI6uUZvit+w8IbiYtfxcHCbKM -+1DAn5aNz7b9AJ1aFJq/AkT1wcKfIl6iD6HjAAAAAgANdHJ1c3Rjb3JlY2EtMQAAAXwQWa1I -AAVYLjUwOQAABCQwggQgMIIDCKADAgECAgkAhIIsXxxi0EAwDQYJKoZIhvcNAQELBQAwgZwx -CzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw -IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y -IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwHhcNMTYw -MjA0MTIzMjMzWhcNMjkxMjMxMTcyODA3WjCBnDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBh -bmFtYTEUMBIGA1UEBwwLUGFuYW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMg -Uy4gZGUgUi5MLjEnMCUGA1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw -FQYDVQQDDA5UcnVzdENvciBFQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AM+P4BG1n6h2dtvfD1Tvc2Mpgq1HxqNr7f5fM/hDUekaM5ExF6B0xNSnAeaykj5qne0O+XSY -QNM/A4AGgkDoseKnUacdgyZrq976F5Er2MasHrGeGQHVl6bqDbfEVR8nfNII1XYfKRWHQDnd -OEURddCapzTgv83IUh25R34NuLvGDPZzVxZafkORH1U6xm1EBKqcqZynTIkXg66jBF5SgIse -EiURGdcMfX0xREHq26+wHO+B0CzFmiGbPe1CO1Am8uzOcWEGYiFUTn/BnT5/IIyAyyrYl2LI -gzORfbCiWg9X6DvM8iWy1Hwv7E3GoToVeue2XTX19khKNkVm1LqYWMECAwEAAaNjMGEwHQYD -VR0OBBYEFESeSPXMbUjUoEt//lkkL4OXmZqGMB8GA1UdIwQYMBaAFESeSPXMbUjUoEt//lkk -L4OXmZqGMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA -A4IBAQAFPjVcFXCbycdzYW9yK9TCj/JDXQLOxJS5lBGDZ13iZ2x1dr+7DKo2xq1Hk2PcHn7W -3i7+6RkyOAN/FPYAcyxZsSEG4fusGJUMo/+ZlvcrJ5vVJMwd3cE64JhEsMTkPnexc6lkLPYc -AXw/XUWFwIXnJY+V3BfzPJ8abrDK4x0q6Uxj+iRhYtbafrYcbPUCHdQq3VWQ6yoRRzwuXnSy -giKlfVMfRewnkX3nIhbowGg22MbxT4BEMvnh0dEdqt6oq5wEr60gDmSYTaVrwEhYlmlN3AeM -UZOi358PPYtgtIKNqghOYkXg+QvS4OA8W95ccSclwuYDgYsQU+PHVaK0n9fmAAAAAgAPZW1z -aWducm9vdGNhLWcxAAABfBBZrUgABVguNTA5AAADmDCCA5QwggJ8oAMCAQICCjH15GIMbFjt -1tgwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCSU4xEzARBgNVBAsTCmVtU2lnbiBQS0kx -JTAjBgNVBAoTHGVNdWRocmEgVGVjaG5vbG9naWVzIExpbWl0ZWQxHDAaBgNVBAMTE2VtU2ln -biBSb290IENBIC0gRzEwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBnMQswCQYD -VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s -b2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBHMTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAJNLu+lmiu6dW9U0k9AbHsPnnrhkM39jeGi0zS5xddeb -IMZNKby2aGCK9yGaVjVa83a92M2a/5NWS6VZBqGTNCndFjR1TvKBtMeWTq0ZFVJK/jxwdXDN -ryurFZozPKqzi6rNQ/316nD/7c8RO5TOTjIW0yNAKnezrzwBLGztmSyL2U5pmLL3j0GwMnhh -1g1fw/qiQJIdXBfmcD4156K3wmLiq6Q4TLU5NW/qA2n6OlRohW3W8i9DVR6RDQ7Y1WqkltET -PCx4UOg6ktIXVuU1GkAcPo0s7TnfQuCDQXTfo83ChmBIaONpC1QAi+R2aSENeU40CF4Uwsyx -t63XfHCKx4UCAwEAAaNCMEAwHQYDVR0OBBYEFPvvDYaesOPdqbnxIRd/PvzwdysaMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBZ//KM9Yd9 -cT2jnxtb0dr405xrNr2bqWHr3hYsdD2e5nXa17qnvEIX5z2R6+V93T6c8c+SrGxIzMIiP2k7 -xbYVL6M1xmgqHFevOe+N0DXDGAx7AFYczYsZdN6+DxLg0KqhPwI0sXDOnRjWCAMJRu5g4H62 -xEkEUX1wYLyqsv95cnqmHT1fKvjK4v05t0e5637fBCOv+pwGB+n7Y5OAQLXGbAoxKM4Mn8+z -IzWAQY1sxDd7gS+AoUBChenZOI3ooVPNAb9p6FoG8kULkPqu4b+d8q5XPKWuslb0i2VA6f0x -gSz0OQnY7muntKYdFaWY9wGB2IV981FccYjeuswfgH5KAAAAAgAPdWNhZ2xvYmFsZzJyb290 -AAABfBBZrUgABVguNTA5AAAFSjCCBUYwggMuoAMCAQICEF3fsdpao+1dvlplIGUDkO8wDQYJ -KoZIhvcNAQELBQAwPTELMAkGA1UEBhMCQ04xETAPBgNVBAoMCFVuaVRydXN0MRswGQYDVQQD -DBJVQ0EgR2xvYmFsIEcyIFJvb3QwHhcNMTYwMzExMDAwMDAwWhcNNDAxMjMxMDAwMDAwWjA9 -MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBHbG9iYWwg -RzIgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMXmK2987yYFJ6OBJNpv -ywH5mZqpMsIih2FBkTvLw2gbBsVMqSvBZxciHSvt+SmJk6J4vZJroKMNon7Kk7Om0Yw11XX5 -F/bPRcXleux3k6CPI64OGgN/vtTQ7S57q0YjW/8s5lR6lMAqFfDJjbB6OyTh12jiMTwGM0a2 -VBGmpS8iVCpYDQEC8foVUWdswPrXtht/0VaILxo6jTu7ghHgRwDQUoer+4Z+DyRrQJ00Z7yN -xy2Gb3k+jqk8F0t/sJnjsHFg3Av1ZMPOQ7xtcbnS3idbiujYxq7hWX3PKC01uJVWGvGyWEu3 -EjfIfLPtS4DhjfoyI7Zvt0iVCLFEToWMOgJUIC/fv1dPOzqQIdfBJjVUIOzHP0fs71q/S3rB -rTsXUFxi2A9LStwr+m68c5LN7MdQ6EGW16l+bdjpHY+KtblYkrpKkisMVv2A6wjwXiluGxwM -r4+Tia3bvaOeIcqJGezftcMa6xb+eDZM1m7QPhcckBdrJrr7ei+/ERwYDi1zA4+g5TWgWuJM -dR1x4Tk4U3hAzIOT1wqenVuPiuTl4EjkSLJHzU4qdSp78iL2yb4JkZZXeoiIrO5wrPncKeMM -HDsSTkTWp06wJsjz2RqXkWjq741GBtJWRViaPAwPg7gFJcM5zzukNIm3eRIvR8XnqZdp/KZ3 -Z7Xfe/F6ZRXkYVZlAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBSBxIzM9eQw/6UMCF+MFWchdAHf3zANBgkqhkiG9w0BAQsFAAOCAgEAE2Ui -9Y4rrUTky/+5aObDgEg9BHv6Iy967Tbass5t9uae5V9Yj8s3MqHIZbauOD01Gz68O7YE0Lz5 -SfWb94XFNrbLvPjIOdXkXwe9FVSXdMrK7U+6umR2n4G4hEVJTI1vouuxzNHDlNpEwubi6hjo -oh8nBbrX5dapzd3vdpiNAA7NG/oDt46AWA4nP1L7lKLKXmXJ1oTauTVx8ybAT3fmgSfSdzua -FG959PbQ4dOUutBXUb0nBQ3B/cgSMO5vjRErCJ3U1L+ARRSaiETaMOq0p+Pu71uC1T7WrXiS -21w889it+rhrf8Q2KLYCFYpULJywF3OO0DejFDyYlQAMKQVbnklJsV/H48vPJ2WONRe3V8gw -2UFbuRS26MIPlDGnlJjMauu14Sf1EKgB6I4SYuiIzLV/RpfAmxBmOBo2Rl8iaD3fycYTJ6tT -BqyiPIYGZW+xfrEpRJqjuklpKGmP1+VfrQSGZG8aoAzFCGLOgKPQ8+xo3r4zxxdbf4DETEyx -poSKwzu4Cc0UgboY41RXNv7bL3xHoTozyPlYO0RPscoCiQSWKGjFS7gmibvWMy9Q1f6aiboY -MpJUxlvgnfle5Q0im/ba4sghsmIhqoZAsi5k01/I434RZ0UfBf7jou+zqLPzfY/4DB8iHy1w -tLgBNHYwAOUjeKdW11AfivsG9cIZ8NAAAAACABJlbXNpZ25lY2Nyb290Y2EtZzMAAAF8EFmt -SAAFWC41MDkAAAJSMIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQsw -CQYDVQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo -bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJTjETMBEGA1UECxMK -ZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9sb2dpZXMgTGltaXRlZDEgMB4G -A1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQj -pQy4LRL1KPOxst3iAhKAnjlfSU2fySU0WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyz -dc6LBtCGI79G1Y4PPwT01xySfvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQW -BBR8XQKEE9TMipuBzhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB -/zAKBggqhkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB -CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD+JbNR6iC -8hZVdyR+EhCVBCyjAAAAAgAbc2VjdXJpdHljb21tdW5pY2F0aW9ucm9vdGNhAAABfBBZrUgA -BVguNTA5AAADXjCCA1owggJCoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMC -SlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkgQ29tbXVu -aWNhdGlvbiBSb290Q0ExMB4XDTAzMDkzMDA0MjA0OVoXDTIzMDkzMDA0MjA0OVowUDELMAkG -A1UEBhMCSlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkg -Q29tbXVuaWNhdGlvbiBSb290Q0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -s7P+f9Ntse8WfFelDG12ii9Lv2T7TO6K8PMpfPX/7irg6em6W2QimppvLDomaVEFmSbc1Rxq -ccaafR6d3XxsxoxnZ0o++HGwGSepCQymlb9LjAz6VZg72OgioUtxOHmsl5Jps4l+6iFoBpgU -lofSYTa8bSdWnlfuwMBW/TLPpNmOwiPXjajz2CWsl+RwOPS2OrSdO5cmQ6OhvElZckwjMIcB -WPZOvhxoVmavzUFdyLNNKlVGqx/aHuJAPdvNfbmSgJw33QyWZJ3cIvdki99h3hWUUhWgfVLJ -S6ghycax7cvDlWDRD/CrcPjfy01+7Nb6q9m9f1Typel5+tnWdiQocwIDAQABoz8wPTAdBgNV -HQ4EFgQUoHNJmWjchVtl45soL1efvTO8B0gwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wDQYJKoZIhvcNAQEFBQADggEBAGhAqai75E9debMFtRezYBPrxpJd4NHTav77vpttv8cF -bVkgxBzwt9qEWAJj+kgW70+lC/dKmPI/nhutR2tjzghH61I/eJyvTa741U/PmpgqEEE5UsTd -2ZsO75MBrrIuymhCJEJssLM6Ps3p2kjEFcvp+QcPklBJit0xl1/J6TeqO1lll5QyybOfPjpi -WMVJrWIOcaUyqi/GiXZDQBMTZz2iVCUQy/E68tn620lWu6b+p0E1w+CIYcmIx982ECKYWeqw -SvtWFnNurE33IqFPrR16LUUn5TDBXvLaE8slQlGVRwOMbCHMdELtU/8zi48PVwEWL8+m7slw -IhS9/b5sCwMAAAACABxjb21vZG9jZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVgu -NTA5AAAEITCCBB0wggMFoAMCAQICEE6BLYqCZeALAu4+NQJG5T0wDQYJKoZIhvcNAQEFBQAw -gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcT -B1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYDVQQDEx5DT01PRE8g -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjCBgTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE -BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9E -TyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANBAi4ty45Eb91HBG1QEmNOpv8Hmil07h/u7iM4N4y8/BpbwoilQma7bO6FXsHRRcc3t -QpFNQf6pyNhqhndEu1lml1BetNQscETP2jeVQmk8MMRxs1LwIU2h2Lo5fByeoySd8oMWmKoW -fEObFVu3rjSR/tRiJhhGmj/rwfnxkFfrrHoNi9tyMGpm1eBGo3DcaNn/BEiJd9616ftnbUHp -vDm9MtliAvGxqD1uN5ziL+LToiaLxrhVQ4jhIz6l0iQ5akerANShs6kl/g0/px2601HBC6Ta -rDjvVVAkBWVGkzRPLY2txtQhGdKOygVhcQdzR+WKGRK9BE3OTpylSKy7JvcCAwEAAaOBjjCB -izAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v -Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAD6Y -npv2G+nXObd4rh1yGEnTh+RDgus/yar1qLXvVXwhUmX51Q3hbPQ+jJNzkS4CxE4HcW/Ajzhh -CKgegQrALyAvQYuR3EhFvPHG3rp2azPIAC0xRkzt553PiJT/M8BW6CSGJrjYODjfKmvdEszH -P0cXTKLCBpYJ1tv+PzxGQd9Y4lYPPDvBHJM12ThSrO7I7C4wTpQ1tCQfS3hp2vICOMyVUpPw -cCVZnCBnxO75i1dh9JJ2fT+EjVW36OWs1fH1GVamWvuQHK+T6+Uc1GeXXQQOvguDpheDuTAS -oMUzFQW5DfvHBXbj2EqN/DQXo8YhKL4wRTEex3i+WGE4rDviAWUAAAACABF4cmFtcGdsb2Jh -bGNhcm9vdAAAAXwQWa1IAAVYLjUwOQAABDQwggQwMIIDGKADAgECAhBQlGzsGOrVnE3Vl+91 -j6CtMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1w -c2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTAr -BgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDExMDEx -NzE0MDRaFw0zNTAxMDEwNTM3MTlaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3Lnhy -YW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMx -LTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgkHr0VtLrfx4ylJ7Y4C2nztk6oLC4hHVxE3yFd -fiN0/l5+tEq3pq0fruAGFuKbW9lndGtdgI8pnYYb2ZwNmG12EChY5GWwf0qYeZ/gwzF+gCu1 -jMBAOxGG0MuihjZgpNUwgm3ZbtAPEgQzl19PYVrw5PmRq+cdO7zoz/RrLTR84khhHI7zYUTM -b6BKqZSwTdrnqTR6cjioQcw8lBF968imjLeGy8ozO9k9N4v7ej6GLOdz1wpXrGSbGev0DwQI -iqwDFxlk9FolIo00LLL2aB0SbdOKHhTaxI+m4iOF1XoNvWrg6ezsF7tCG2eqJe1FgyH8wcl8 -1WI++vLFLdP91GUCAwEAAaOBnzCBnDATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMC -AYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxk+iPQZjhAmczmLkBKyNXLXpthswNgYD -VR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC54cmFtcHNlY3VyaXR5LmNvbS9YR0NBLmNybDAQ -BgkrBgEEAYI3FQEEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEAkRU5AwEbZ/tKHPkKYFuh2k2X -YvkkUyfXgmROkC7DSRsrmtz8qHhnNfEd8BG9t0jjEPYN3z/SybaqVaRIugLb3lkuFVs7nRZ9 -R9c36l9NdhI2ux/XoYEERiCjLG2pngF+PynOAJPf/cmSc4mJZJ7nK+QckSzSuc59zm8xmdPm -vtIekPAJFHlcI6tN0tohH02ZeZ3hzyefEJsciA2wimRBMbgObJAkpJtccY+6u34cG9tqgA8h -vOnbprdA9LKLqbHk75oa0D1pme6oKKPhPLPwshGcz3xA5t3nQ32i2Dq1qY3yNJnE1BDhBv0J -hBA77sRM9OwnfELCdHyCignJtAMlvAAAAAIAEXF1b3ZhZGlzcm9vdGNhM2czAAABfBBZrUgA -BVguNTA5AAAFZDCCBWAwggNIoAMCAQICFC71mwIop9t6/9Wjqe69A6DPEmodMA0GCSqGSIb3 -DQEBCwUAMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD -VQQDExVRdW9WYWRpcyBSb290IENBIDMgRzMwHhcNMTIwMTEyMjAyNjMyWhcNNDIwMTEyMjAy -NjMyWjBIMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UE -AxMVUXVvVmFkaXMgUm9vdCBDQSAzIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAs8sOEGeO6hSXpzIqClY2f2hMx7NvOiMUkf8Zf6XKrO6zdp166Ysbq2sx2/oLU0yvxaUa -eTyKTP+s3yXeTtmCMgtE3srbjKyjbhaDO6ZkSzKJ+xYWOH7rQ+LTdErCYgpzCt1Js1fSsAqF -nXE83qPLwDLzATkgQxs10VOzse7Fk2mCPha1KEah3uqJCe1DuAVGiob1WUe+G28BIRC5/anS -KMoQOQnKEzbPnK2tQHR5KwI/NP/6IGl90+5h9bqz5zDQNyOGcmFFKUhZaG93pi6BvgdNb6/O -xEUTkRRwBo8fn/iHabEO78OJGevqHGH8emyK3NYDC54muhLd1FQ5qyajM+p1gdotzQ9P5APR -7xWXG2uQxQKQk2YCIbFH3ouaSoC5VY+1oi/A1jNn2n7Ep7QEROtH++ZYufcM8HsrscBwKcNA -Yi07SGncIzxI63sJealt2qgwmM+AcgOIpltGrnJ5fAgDIWWut+EcpbEqojHeZgT3wHTocd7/ -PVnMliYSi4WVVxqra3ULRD0RKDx7Ybfij2dP5ew8TGCAaVc4HgFbjVXox9/AzHcjNEl1fPaY -Eest3u1BLhQFAn/g/iDrNecRrCLOVz3eyTBtEAOFzfH/jBa1wbI+iGxgf5BPlff2La0BOQcE -+nWAfb9JUO3vycR8HOuAftu20N0T/snTnNeyl6kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMYX0Lyo6gJD8hsGmV0rkCC515zkMA0GCSqG -SIb3DQEBCwUAA4ICAQA0YdlWtRKHVU3dozUxRrukB3K8X2Fi6KX7CzexPLaz+imdfwL1pMmo -k7d6cShpj3PhUpDa1b465bd2alaAId9d5uk6nuU+9qJpxyoKsBhH3CBwfVKjPll8wbrJyBVA -Ycpy1nCs0rfwHOSGKfDO72hj0LUgihVhmn6GmLTJwnb7zLowFsyjYcZ0E+Vr76MV6gP+E4tk -5NPB0uiE+0nREE15Zuuq/fSNMR5wFK3c3mcTTIEVYby32ZF3cRmBYLvwWKW1nAv3jyJVJ8BL -AW07mQ3UHZtjZy/Q7g3KZryUT6at7fzuY6xXP2Ulz7KGj9AI/7h2FG7e5Sfsq3i1U7m2P+gg -+dKovmFGyoeMhPP58aBomyIegSabEASRccAGH9yg07lWp+OYLX+Dnd+MK5wyjjKU8AE8Iiqf -Q8Iuw5g5Bzh7/F4AQh/zMiZ5g4T25fDBURLACx4EIwxUpUwvScVK0bZuYA1r/GuLhSRkt4kO -qyVHWzzPfkm9x+kKxtr3fg4XCNNIl9BxkvAPOT40ahx92PIirrtp9DO0pkhV0Q8OJujstgst -p4U1zf1ZyJ/RzT5aKTS5PYTOsWXUWZGRVnUhwXee+XrhYJ3TrQQY9HzrXpOPU0oiKfhIKz5N -hqxbf8sGmVlg2FhllY1E0fd/fid/fa6A9QdMtj6ccVSZBEv9WPmY9AAAAAIAEnNlY3VyZXNp -Z25yb290Y2ExMQAAAXwQWa1IAAVYLjUwOQAAA3EwggNtMIICVaADAgECAgEBMA0GCSqGSIb3 -DQEBBQUAMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNl -cnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RDQTExMB4XDTA5MDQwODA0 -NTY0N1oXDTI5MDQwODA0NTY0N1owWDELMAkGA1UEBhMCSlAxKzApBgNVBAoTIkphcGFuIENl -cnRpZmljYXRpb24gU2VydmljZXMsIEluYy4xHDAaBgNVBAMTE1NlY3VyZVNpZ24gUm9vdENB -MTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD9d6qlHJAFO8tMmzOLWhRFpOeQ -FtHfV9IhEKQX/d+s1h+n5Nt89+zfuAPalFj9XXJ8jD9fAWd0FZbjAjyH267LAY7C82bGhUX0 -AsY6tWKyr/qcv6Tm1IAwmPMNtpOPqdTYNvKw/IrKLKEVM5Ux2sAb8u5imYZjP7/dkyqDqHa5 -Ex+3zk5ChY8i5y4a8pUJsgW1RE53oSC9qfJOCn1QrfUFDUVPRnH9KD5T+wTYLddlHUob+s87 -sDGaNW7IiwbTAJHylAhlTLE0BgB6ieLwxwNZz9XW6Kcys+aYQIbFzScSi8x7zrcRPGJgByM+ -K0BulIAJbbazb3dvNQhQ+wKHxT6JAgMBAAGjQjBAMB0GA1UdDgQWBBRb+E1PsqWG1DrS8WOa -oL4J9le33jAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAoKE4FmYup1YfIZwG+h3tuSLFOCbYTk/so3953kYhoYd3jwcImrKkxa8PMpgLfGYp -tpt9JVJJQ6tMLituenCvFg7jAmz7QuYYnUXYVcjoO93n4fQuCxw0XGxYSvuMiFBflRy/7asi -tWWzhbqeD7it5XobilA6Hb0NvHtUUAu5Qq9VoBiBrWWZ777knL/EhatBslRv3CXN7XjijgyN -CUndY3taaZYCIai9UlnpfTXLyFLKf4H+2WvT9xHtJd/45/mk+nKXhFMNpdAyGFF2WRRsD+vs -X4CMdUODw4WY/0yeLQ3kd4OTTrWWB4soE5uMGY1BJ0lA7t7mI0Q53KEi1roD8gAAAAIAEmFm -ZmlybXRydXN0cHJlbWl1bQAAAXwQWa1IAAVYLjUwOQAABUowggVGMIIDLqADAgECAghtjBRG -saYK7jANBgkqhkiG9w0BAQwFADBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1 -c3QxHDAaBgNVBAMME0FmZmlybVRydXN0IFByZW1pdW0wHhcNMTAwMTI5MTQxMDM2WhcNNDAx -MjMxMTQxMDM2WjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3QxHDAaBgNV -BAMME0FmZmlybVRydXN0IFByZW1pdW0wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQDEEt+pX/5B3d31n4rj9qzhPHiavNjwf3qgMyrcjSBbri1v55PZNnBqaM+OUaOFW2cEoBAk -b10ogsGXV9hIKRO24b6RTd+FDFMYmh4kok+P8KKFC8v0KX/SpFjuJk3Jqqh7mtn6ON5EVxXl -+IzI2UjiDRYnHR7Ig4Ult7qqVUHMAyJLLZGNi+aJr2bH6f8r6Tys2tKzw+FonIn4egBW3vRV -lWz7umTdYovfC3cy62LMJpqbu6pig0y0BnowyCm/7QZNl7kcxDEr1V+8UxIXnJlXKWZ3YSEx -By4lSZ0Y8u7zK3GMtbo5B0l3/O8ukpAFjS0vd3vvQ781u5rY+XOnLPLQV+4oTiZfj5BoCS+4 -+NwG6S6aPlGn0SLECqc4SGyz+f99q4ZX47rWhXh3ukPqSH/22L4jbR6/0TZsWFzx7qQZVBr1 -A9J25uGMvTyz00hL4sj4f5KodkacQmU+pB7BBwNaRi24l/O31bJVIe+63EwAl/sUlSczv+hD -R0bSCJkWYDuaftLm7Tjq7AEePEhWSQnHTDcAnogOwHPhb2bpckcwPhDlCwPJmkIAbMWUfmHE -it9/ghoLWcRZMnezvGBpVjn9tAZ7LNZkNtm9SO2EH36lIo8quEL0grfUU5B4Ti0a/YFvRNc7 -AXSWQuAA4i5r6sXucqy7v/7qqqj43PayeYq2ZwIDAQABo0IwQDAdBgNVHQ4EFgQUncBnpgwi -2Sb1RaumZVIRJ9hFrGMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQEMBQADggIBALNXTRBiTjrkrOq4HK8yI8izSVpRnHYojXmqV0YX1fVS9rdE6AhEvxiE -0guAzcUS/QBVBWGHQdy1JJ48xNjI+3CeL3iWgyA23nwPaROIpXU2mAimxt+szuNY1rc+3rrz -6zRA2KKB9Xg/L9Wl/Nmi1F4EDhet/kHw5bJy+kSCM0LoLVj3VoxiP7pCsJwMXH4uZSZcU08A -snh+oQ2ZLY24HY6ixLD9YNAwpI7IBGKpxO013nqX7Q44XpIvk3ClqZxvp30THX7GCEixXmfr -UQgl6eYla1IpkZzSOXMIV96ZBrRbnRAG4cIAqLgcSgIKFNDBQcr7jDUhfYI48qlUkRk1k5Rt -ajrFstC7iYaT6JvJDzqnerih8HhG+vw3L+WKhPPf/gTZoWigLyTiCZUG1ZXK4SSW63z2kwW7 -7XPpLdF1OdfnJNvYTl9Dj57QFDm/VXBImVcxtJzuSpgDljAfYAbuGyP+gWAjGkdihaXMGTSA -b7OsGuOf8HtIrdUB2We2qXKT6i1mtbK45D08su9MjOrrB7+rNZpVhrwYprWoXrSDbGtpQNOf -3PHDaWu54W0J9PGqUHYKen16F6FVlkKZMQndYBGNBTB+5o5G0Z0U2scX5AWWjMQktRvPFAey -QPijnkGGvATQa5bIKoA0/b/vBqPdWMWFPT6P/p4p4La4CWgZHBhDAAAAAgAQZ2xvYmFsc2ln -bnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA3kwggN1MIICXaADAgECAgsEAAAAAAEVS1rDlDAN -BgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z -YTEQMA4GA1UECxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTk4 -MDkwMTEyMDAwMFoXDTI4MDEyODEyMDAwMFowVzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds -b2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24g -Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoO5pmNzqPjT4p++/GL -gyVr6kgf8SqwuZURBL3wY9HiZ2bPHN3PG0gr7o2JjpqvKYBlq+nHLRLLqxxMcAehPQowzRWN -T/jd1IxQFRzvUO7ELvf86VLykX3gbdU1MI5eQ3PyQenVauOyiTpWOThvBjyIaVsqTcWnVLhs -icyb+TzK5f2J9RI8kniW1tx0bpNEYdGNx0aydQ6G6BmK1W1s1XgWlaLpyAo46/IkE09zVJMT -hTobvB40tYsFjLl3i7HbHyCRqwlTbpDOezd0uXBHkSJRYxZ5rrGuQSYIyBkr0UaqSNZkKteD -NP8sKsFsGUNKB4Xn03z2IWjv6vJSn3+TkM8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3 -DQEBBQUAA4IBAQDWc+d8T3bQjb/suqK+NMUoMrV8/GycLCu9CZ5Tv2teqhFItuUIo7PKPWFN -00YJsz7DoONjVRvyuu+tOeFDuTij5i+KJjvvoFBW+cYK/TjNxAtwUZSXmATfw1+U1RXJFEGc -xF11ZBUN/1Uw7IaP/w3vLLljRvaq/N+8af0uEkhkmuCV8KbvKY8BsRW1DB2l/mksaSR4HrOn -HHFi7srIl6wXXYrC+EeGbirEVjGV0GeJhSv5bKZdRp0MqoLkmVHdcLfbVj1h5GrhXNb2/j3e -QcwHrmNSv1NT9Cvpx/2294JfhdJBGNuBswQcxR+kgG8VIMneDIgKHdZmVeL8SMkpJmngAAAA -AgARcXVvdmFkaXNyb290Y2EyZzMAAAF8EFmtSAAFWC41MDkAAAVkMIIFYDCCA0igAwIBAgIU -RFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBH -MzAeFw0xMjAxMTIxODU5MzJaFw00MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYD -VQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMw -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFh -ZiFfqq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMWn4rj -yduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ymc5GQYaYDFCDy -54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+O7q414AB+6XrW7PFXmAq -MaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1o9/NgJ8MSPsc9PG/Srj61YxxSscf -rf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0jIaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB -1PLKFAeNilUSxmn1uIZoL1NesNKqIcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt -9DTEceT/AFr2XK4jYIVz8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0y -kRVKYnLP43ehvNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9 -Uy3l7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALGcC4B -rTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E -FgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQADggIBAJHfgD9DCX5xwvfr -s4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66AarHakE7kNQIXLJgapDwyM4DYvmL -7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RCroijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHB -R//47PERIjKWnML2W2mWeyAMQ0GaW/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeI -yUqAHerQbj5hLja7NQ4nlv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/J -HyPLhGGfHoJE+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jw -DQHVcsaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtddbIN -WQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNgKCLjsZWDzYWm -3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeMHVOyToV7BjjHLPj4sHKN -JeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4WSr2Rz0ZiC3oheGe7IUIarFsNMkd -7EgrO3jtZsSOeWmD3n+MAAAAAgAVYWZmaXJtdHJ1c3RwcmVtaXVtZWNjAAABfBBZrUgABVgu -NTA5AAACAjCCAf4wggGFoAMCAQICCHSXJYrHP3pUMAoGCCqGSM49BAMDMEUxCzAJBgNVBAYT -AlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3QgUHJlbWl1 -bSBFQ0MwHhcNMTAwMTI5MTQyMDI0WhcNNDAxMjMxMTQyMDI0WjBFMQswCQYDVQQGEwJVUzEU -MBIGA1UECgwLQWZmaXJtVHJ1c3QxIDAeBgNVBAMMF0FmZmlybVRydXN0IFByZW1pdW0gRUND -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDTBeGxWdA9CheTW3OjySesoVHM1i85wmXAc95VT6 -o9bMEur0FF/ojhmrLy5I5qwYQ3is0DfDvbLNLOZH4hrmY7g9Li94xE/b9A+kaExVcmuVHU4Y -QpV4zDc8keKbZSspo0IwQDAdBgNVHQ4EFgQUmq8pesARNTUmUTAAw2r+QNWu1jwwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIwFwnzh4hQWq/I -wEK/R1/1bGqG4MQndOQ4U9cFfxs048Yvs8oJPDed1+e4RvH9oeJxAjBCWYdD1FHfutMJMlrO -iH5XPZxfQmv1By218IKT+VlvrmT6WOWLHuNjvrWBzW8CjHkAAAACABNob25na29uZ3Bvc3Ry -b290Y2EzAAABfBBZrUgABVguNTA5AAAF0zCCBc8wggO3oAMCAQICFAgWX4pMpewAyZNA38TG -riO4HFqkMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtv -bmcxEjAQBgNVBAcTCUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UE -AxMXSG9uZ2tvbmcgUG9zdCBSb290IENBIDMwHhcNMTcwNjAzMDIyOTQ2WhcNNDIwNjAzMDIy -OTQ2WjBvMQswCQYDVQQGEwJISzESMBAGA1UECBMJSG9uZyBLb25nMRIwEAYDVQQHEwlIb25n -IEtvbmcxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg -Um9vdCBDQSAzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs4jX6s4PIE6+5tYD -be5Z/MJX3ylooYMOPmjHaFicHGBLiUMMudQVsu7BTnXptafv5ek1meTMHOdLX40zMCAzU9mm -u9U+E47pH4dJrVAtUMoYvgFYohNwlruJiFaAXPi9LDzhTFeIu9O5le/Lx/baMXQopuZUifVB -McrlJhrNguBw2jspu9UD9Zm6VfVk0WAOs4lJuIovBdKERSh8j2hQEnj8C7VTy8KYHISjnrC+ -I6Ta3MgrHtpuRR6JmNr5AC4G6Qw7cNVQJYiZy81zYPfV/zVnxaG8XqvNSrhF68hoHg0NFEYS -49JkYopCmLy0xggI+P2oTGScdgG9L6lsMw/YPyi4PGkBQoZ+acHJBsrlekZl6cLWUEEuP7fk -7WzXvyYBEaIWKUprNAaQ7BPStvtqdtI87fDWLd3hFeyjmy8syT4r5Gk7/3IlsTaGW8d/a4tV -G0rFIGE9rstQ4Qg6vrCPY0FTMAhZPJgdd7pjkXrKEFBgv/DXvJWHj5fF/pdqAZSjfFuFHSo5 -OtBUodE5cZ39Ifm1e/Di4AKPbpYkJSygHiyoxImn7+2ZBi+2CkxP26LMNxqvR4Util/ENDRM -AP0Yk2cT0TfmSLSLBsVXexmGCnnLAMlSr0L/N4/hox56PVCrYwbnFbU/tkU3lDexfvJIw3/F -df6XjUWPGqcacigaQA8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUF53NHovWOStw01zUoLgfsAD8xWEwHQYDVR0OBBYEFBedzR6L1jkr -cNNc1KC4H7AA/MVhMA0GCSqGSIb3DQEBCwUAA4ICAQBW1Xtu5iIB0kKbGNUO12YjXOP+oMeS -0umUrUuixuwSfHTVSNJZFJnA67nR6/RIMFutp1dzmanT5bfRLlkkWNxoLi5i2GrkcAstIFAg -pDKV0QCYu9P99zLySa7GeuBHvm7Oy6NyOi1pXcvI6EU51PpCwRFMd12S+2r/WETl64Ger6CZ -rb6pAWbLOB0830Mf9E1utLoXRvx9/YeBeWoNMw/6L/gUuYCzXU2ql+H55BjF+NU4jCY8/fIo -4u5aSYgs33k9jp6QPL1BSjrdW/aatM4/JTB/Mn2iA5TQ3HqhUt5uk40YJv1VrL2Pm9LPr+eG -LMsfCW+jb6mE1HO/TaF0G04jYPLMDqp/pJxMJaiyZjs4/9mUMPZyhL5oVRAPxnMsFmmTB/6x -Re27olVqsNq1SgIlJ4XXt7eGRBaJbIArPpepnNV+VUzG3kUQHOrpO58DU+7uegECFnjU6MK+ -RnaIEz8iu0gSHVIAtAJ+IRoenCX08z1eHtIc+bMttvc3XMbLIU6w95lHGIXBK7pVrgbq0Aey -3KvQgpZ1ztJQ/pnnzy+f53bRYSr7Ibsx0KqfR6SyIsoWOlBXxFtDZ8VlYgNJAetD2dj4nq3P -sWMORfSgWiybLcWmwK2oR/QnTDgNLhtJO1L06IiDK1Qo1PI1UrQyg2JpZAyRnJ+X6nQW/R8R -Bpqb9AAAAAIAEmUtc3ppZ25vcm9vdGNhMjAxNwAAAXwQWa1IAAVYLjUwOQAAAkQwggJAMIIB -5aADAgECAgwBVEjvIf2XWQ31BAowCgYIKoZIzj0EAwIwcTELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0y -MzU4NDQ5NzEeMBwGA1UEAwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MB4XDTE3MDgyMjEyMDcw -NloXDTQyMDgyMjEyMDcwNlowcTELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYw -FAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEeMBwGA1UE -AwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEltw9 -itiwe2/GJ75EkLGzVhV7jkMkfRqEWe5jaLLGXofQFUgeqJCtvVOi2t46kKZgX2gytYZB34db -LHvF/nx62qNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE -FIcRFQjRqsF4DLGvzsbJkO+/MATAMB8GA1UdIwQYMBaAFIcRFQjRqsF4DLGvzsbJkO+/MATA -MAoGCCqGSM49BAMCA0kAMEYCIQC1V93XilULNuGGRPrU2WiNuNwjiooN1C996nPsv01sqAIh -AMultBL657Xoz36T/PM1j29OWny0vE6y/HKqW1n559wxAAAAAgAfYWNyYWl6Zm5tdC1yY21z -ZXJ2aWRvcmVzc2VndXJvcwAAAXwQWa1IAAVYLjUwOQAAAnIwggJuMIIB86ADAgECAhBi9jJs -5cTjaFwbYt2cLp2VMAoGCCqGSM49BAMDMHgxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1U -LVJDTTEOMAwGA1UECwwFQ2VyZXMxGDAWBgNVBGEMD1ZBVEVTLVEyODI2MDA0SjEsMCoGA1UE -AwwjQUMgUkFJWiBGTk1ULVJDTSBTRVJWSURPUkVTIFNFR1VST1MwHhcNMTgxMjIwMDkzNzMz -WhcNNDMxMjIwMDkzNzMzWjB4MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAM -BgNVBAsMBUNlcmVzMRgwFgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJB -SVogRk5NVC1SQ00gU0VSVklET1JFUyBTRUdVUk9TMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE -9rpXU8jKq982SlIh5JfSg2ee8GVR0F6Hx0exWfJXR5sAApNEF2nbQsexsjoYDrRdjLNmXaE0 -+TYsSdvzRvyzRGlEE2b918X9rzZNzgNNB3HPr2oF0qJDWgpSbwEDTo6Lo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUAbkv778RhmDyT9BBbqtzH+fS -bkkwCgYIKoZIzj0EAwMDaQAwZgIxAK5K4ytAw3QR8pWtFiPeTgwa5l2lJF5rRHv8OOJPy5xF -FxFMFCcmVTl1SgPME5CfkgIxAPpKbGCIc/PuuJhiqc4rwtmKpnAxHa+wlEzrT8bj0fNipzz/ -ky4HXEkBZ2kSAnK/5wAAAAIAEXF1b3ZhZGlzcm9vdGNhMWczAAABfBBZrUgABVguNTA5AAAF -ZDCCBWAwggNIoAMCAQICFHhYXy6tLBlL4zcHNTQTKLWW1GWTMA0GCSqGSIb3DQEBCwUAMEgx -CzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9W -YWRpcyBSb290IENBIDEgRzMwHhcNMTIwMTEyMTcyNzQ0WhcNNDIwMTEyMTcyNzQ0WjBIMQsw -CQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UEAxMVUXVvVmFk -aXMgUm9vdCBDQSAxIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoL5QEI7p -8mxAtASchbkxytwt5BGpBDwbVcHnWDAdJLTD74XejCzhwT3fguZPrUeHbOxbScFK1buP7Ies -f4Kahuw9A5lSAdI1nqza8FPJZjzUrAIB2iTTO6gCRq+kHOP4c1h2t/YOkA218M/M+vnGTOXD -hjAKjRd+NevF37sOnMCNh+OIOIVn+j7Hq+ATnAUYmM+T9bGStPwj08/VxCdJ4J48mwiji10q -IeD8OapT2n1+zxoJU7xdBQTPoUqPi3aCDaH40scUd1uQNgeBmz4G+lJeY8WmAP6l6VIbUrWS -OXIDCWK9sGAWbqbdJcIDZt3zBNFA4k6LhvRv5YOgJ4ReBMH1kL0wPcTvqGm8OJukpJbRYtpp -wAGWrsvEUTTqDKr/IY5Zj0pc5GGap9LpKniNUT06Fe6iWY6pXN7F+ZAi5YhFcd2RmWx6nz09 -mHxe9r4WaKBergsj/FoPqiJ2LcmhEB3k00QjkIifxirm1/Was1geLzCJCBtUorWYI+wIdxyV -XWHRy4mcX6JKkZrvIapJFgiovWEoMcl0rYX22cWxi9HlEDJNX4sgOjxJHzOFWQ3bywl1Q2lz -+2txffDfxEx9xqMuyJV5y3Oijk5NJPte5AS+chumJy1JWpl611wJILd/lLlP8Q0cXohCGxG3 -55Hbnmz0at+MBpgDrcwo76VH81MCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B -Af8EBAMCAQYwHQYDVR0OBBYEFKOX1vNeohDhq0WfPBdkPO4BcJzMMA0GCSqGSIb3DQEBCwUA -A4ICAQAY+lt1/D56x193x8rfz1/DEsRAXdQyqrhq19UVFUaYI6XmkFsYmUzjrUKjgjE2iM3p -+8QElkiLAceNAc9bMwaWRmZ0HU/twba5tA1hzGN+1y53jJYcKiNoa4VXdnAzE/7hT6Yjdxj6 -GozovWXJzz/0yRfc68e8wAQuLUYvaWbDG4/+7D7TypS/dgolDal7Ahyp0DtfC8CBOj1k4b+n -LU69TcTYKcYiGNDFrHICgj+qOqI6Ipcx3Qhjw3UUuWAoLVto4BapZoIjUfXrU9gxm3vpt51L -64gWz/ldOIpJMI/t8esZ9HcaMRhNZ1RsL29l+ds97CHsXvT0i8pgZVTRcWT0+aajgTM2M3Hw -pHhfTq2DId40SY3oWayd8nZaNvIT9K/gCcdhKmz34J2uu4ZKKG8u7rR5zZAzw7N2+vXwbJ0B -kPqekPaccs9H2sMf5DUgU/JU0d9hg6YC4iU43oUyLV5zkFJdQsTOPUvh+RmEHdWiUMxB+0EU -w73WyVqjY2YCgL0FOjtHnOwAJkz1iFG/qCN/GAewC+2LJqFk02FK61yf3rOvZwOzH91tXWlo -aateOux8abzHO4VOnhW5tBVPw5V6WNfJbOlsufMpY160LPAtPe1aZeCpW0DCSJmBbZ4fBio8 -ErSLD5uiJPCmjdZ64Eu2ZJZjlYTCSs0cLiSHM2DlwwAAAAIAE2hvbmdrb25ncG9zdHJvb3Rj -YTEAAAF8EFmtSAAFWC41MDkAAAM0MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAw -RzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr -b25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzEL -MAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25n -IFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArP84tulm -AknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQjVrhVcNQhrkpJsLj2aDx -aQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqrauh0ssJlXI6/fMN4hM2e -Fvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDV -yAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3 -v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8E -CDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9le -gYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio -l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5 -LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZv -RZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti -/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbiAmvZWgAAAAIAInVzZXJ0cnVzdGVjY2NlcnRp -ZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKTMIICjzCCAhWgAwIBAgIQXIuZ -xVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5l -dyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNU -IE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg -VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqfloI+d61SRvU8Za2Eur -xtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCj -tHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1 -xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBl -AjA2Z6EWCNzklwBBHU6+4WMBzzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDp -KmFHjFJKS04YcPbWRNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1XahgAAAACABRj -eWJlcnRydXN0Z2xvYmFscm9vdAAAAXwQWa1IAAVYLjUwOQAAA6UwggOhMIICiaADAgECAgsE -AAAAAAEPhaotSDANBgkqhkiG9w0BAQUFADA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMx -HzAdBgNVBAMTFkN5YmVydHJ1c3QgR2xvYmFsIFJvb3QwHhcNMDYxMjE1MDgwMDAwWhcNMjEx -MjE1MDgwMDAwWjA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMxHzAdBgNVBAMTFkN5YmVy -dHJ1c3QgR2xvYmFsIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4yLy9 -FFBmE//w03nsI/K3GseOhfESc6YZqhDbnKJldFp3PlF9VvbcI7bU7V9YsTdN1UkObvVqh9bS -jNInxuL/Np+YZaATTsYqZJvVkBLPFAb0O+PUKL7oDvirTkiUbY6VMRBc7aItvdU6bbIcu2DA -RksB9UmufkaK0HSNoQwCzu7854+4a2bzf0QAv2YlFCvdEDAdB5Y/TfZruI+3ewylOOveR9vV -XTn8iKfz1yp08ehaojufULqmjEU1wlBlldxjgu/dv3dNnGLJY3MW0CkPSalI8LOqt2zFpzA5 -QF2uxOJdJlPwzhwjCGGolBm6BGJA7B84cHcSBnGnMBhdJSelAgMBAAGjgaUwgaIwDgYDVR0P -AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLYIew16zKwgTIZWMl7Pq26F -LXBXMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly93d3cyLnB1YmxpYy10cnVzdC5jb20vY3Js -L2N0L2N0cm9vdC5jcmwwHwYDVR0jBBgwFoAUtgh7DXrMrCBMhlYyXs+rboUtcFcwDQYJKoZI -hvcNAQEFBQADggEBAFbvCiOgVE6Vl8n4idpFwdSjACX0HxOrt6OFWGnCMK3YFYot48nNgVr4 -cyNap3wF8/0iOw7RBsTbNkxzBI7lsCLkxfMupdkj47hOSiCnbgIknyJgZ3uLHXIJxTFc6Xmf -gEc9raELBxQ9R/8DaRoMC0TnYyWnf7LJuHaE7SP2fQerRX7T37O/6Yq2zaiiZytS1bdl8DlM -Y6CReZNSD1Tdg7uf0Y+nU3PDy/8w7HwEuNhEH5NfcQkit24+6hwDTp0aIGH7gTfsXvwKRavX -5xdV0KDqYJum9uOMWynCBmAUnS2XTKmTFZ1hxAFfSNZYvVYxEk4RyCHgsxGRZdu0pog4zlUA -AAACAChtaWNyb3NvZnRyc2Fyb290Y2VydGlmaWNhdGVhdXRob3JpdHkyMDE3AAABfBBZrUgA -BVguNTA5AAAFrDCCBagwggOQoAMCAQICEB7Tlwlf2LSzR3Aeqr5/RbMwDQYJKoZIhvcNAQEM -BQAwZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQG -A1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MB4X -DTE5MTIxODIyNTEyMloXDTQyMDcxODIzMDAyM1owZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoT -FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENl -cnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAylu+lDOMKZWRFgqVvUdiwYnzmTbfRpDJpe14am9HkWj4J2dQMx2hpvvg5UOjhAJXAV2c -SECCUxC8v8c7aJC2gi3l9GXQzG0ZzJX5e6xKlK0O3ktDHYcHkhOQgINkNTkE/OXpbLO2H1CU -OGVQXBdGubaFtRy1F+jWRZ3YsiawysRwSq5gpN2z2ez8O9VXcrw/yMmy3ktr+CNsA8AFvZXH -zXM7ZoBk4xqsLvlHBfIGtptz9XgzW8eh+ycqobSakYyR0zqCPnZAtM1SYVFwKD/FxVryyYxJ -uxRbTcj/Z01MEpat9f54qJeH1/1eIIDcoUsi+9SJrbrOR5dHVXuPRchnKISVHGgw7+9J4DV7 -ZOeYsJTaTYU7PlXEKK9X854T20Ynnx6iXkSDpKXK1ROzSz/E48LmhmGkUjC5eiBPbw84U8sz -DBMrj9aavSrILbEcfUtRykfRSCdyXYfr1UXmSGWdr1KQuluiGGVXEp9oudQVa5TEaSKY9DPg -7flRjkFQyTRPdpCs/DjB2OF7uePjlOFGacsOClBrE7qsDzdatxK1kIEeVq5XIobZydLR11Hj -qzvGVf0eDtN0CtHaquppuJcoj0jEB/hSQzr0ylU1LLCmasCc+fKB4RJqwEXZZ7PO/yOiiQpU -1BS5KqjX7PmrzSVYMnmPkFuYOcQIBsGsfw49AKUCAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAnLWX+GsnCPGsM548DZ6b+7TbIjMBAGCSsG -AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQCsrz5dwhGWiY6j55LWlxW4E6KmQi4C -zRYFWSfKIOi6uOga7E2ol1auZUOxjwCbUs1VzVM5bWJMiw1bfC5Ev4MQj/NTgoDDTzrHbhE/ -5uMWkYT7bYR/NHStiafOudfXn4Rkkr6Voa0JUzPd7grqSlGOb1WrurWURq6Mf9iiUCVlYIBG -2zMErmy1mHRUJdyT5PjjVRU9uG3DCqQSwWmFbt9k8VOZ4Up1IJ2VD+TW3APxWRjoR4myV1qU -tqnYFysXSeV2y8FWmTo3sf9pLJGRk+HfTKM3dk2hn/htHh3T+uz79EUdE23P91nlIidyK4bz -V7sw7SRN3H1Wu6Oz+DR5icHg8gJh96b8D7scFwuuQdl8vSej/S460ZOUsXMdJIuvWyCJrbdn -Znn1OsamljP+U5LIRrERkcaZf4/J1mYxIEEQhy0M1sGvNJjKZIP7E1fRwfA8eoylwf2VIaBx -wZNncRLqj4gKaRlkmSNW+6wqLnC+ZsQMhO/li/OTAfhqkJNnS7Joo7Vij+k/jHo7Xg/njLjG -fO83/XTiyE8zcuGUOW29Eq++DE5wfBtvjbMyk3NEFm3o9PfglYCPll04pPSr3gowh5PYTQBx -YkUnSzpChFt/ZbdnNFItnBZrqqjYe6NCTHHHDMo+g+Sm77cBMF5Ro3n1cGmmQUQPhrAskcY9 -6q4PhAAAAAIAD2dvZGFkZHljbGFzczJjYQAAAXwQWa1IAAVYLjUwOQAABAQwggQAMIIC6KAD -AgECAgEAMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28g -RGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTcwNjIwWhcNMzQwNjI5MTcwNjIwWjBjMQswCQYD -VQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhH -byBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0B -AQEFAAOCAQ0AMIIBCAKCAQEA3p3X6lcYSaFb69dfSIbqvt3/5O9nHPRlaLNXcaBed7vtm0np -cIA9VhhjCG/a8szQP38CVCJUENiygdTAdT1Lf8d3wz54qxoDtSBrL2orscWIfsS7HrDB2EUn -b6o3WPeHJtfYLfapF7cfcjZOphc/ZZiS2ypuXaL+iOAL3n/ljRXh68s61eISohMt2I6vXxI9 -oAgFCLZcpWU4BEWZHqNgYHTFQaVyYhtixR9vXxpCvgJRZaiuIxhq/HgDqU1/gMP6q1r8oUCk -yhkW/rLI715zDe53vZr2eZi8sQdnohUN3aBYxkR7Cj5iKF+6QQdTWM8Rfjh0xfj/tWmQj4R0 -6pcbrwIBA6OBwDCBvTAdBgNVHQ4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgY0GA1UdIwSB -hTCBgoAU0sSw0pHUTBFxs2HLPaH+3ahq1OOhZ6RlMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQK -ExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAMkvzsso+kfwSxqEHjI53oDMGFFyQHhj3CKY9Chn5h4ARbmnklhcw/zSRY3I47swc -AaMdlCikMfZ6xFTX9uUxWAOizM5i25RFc7W/RckktdWCAq0jeWmNuLZNzs9MyjMj6ByIqp2L -QW4WySDliZ7NO9pw936ZJiAUVCWrbnOF5pshnQpsgg6o+MIM+hAebJbvhw3ED2GLre6DK5X4 -jpKEcjnrIOqD7YPNl24IvOtOJrZzK+TT9kz+JnHiYRF0Sv9XGocPdUguz1FpF6ACEmGV1dFA -shBM7sSsEEOmpZ4K1ZVimg3PiILFMgzkK59F5g2fKJyxuSpaV603D68df9u9nwAAAAIAGm1p -Y3Jvc2VjZS1zemlnbm9yb290Y2EyMDA5AAABfBBZrUgABVguNTA5AAAEDjCCBAowggLyoAMC -AQICCQDCfkMETkc/GTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCSFUxETAPBgNVBAcM -CEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3NlYyBl -LVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8uaHUw -HhcNMDkwNjE2MTEzMDE4WhcNMjkxMjMwMTEzMDE4WjCBgjELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3Nl -YyBlLVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8u -aHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp+I/zY63ahtin4EL7z5Hepib4 -maVjcK2brsozQH1tlm6hDkTu4ROdlEJSmr11hXQsqA4dk7YYt4wsqM/7XHG52uz+6H6P5C8d -sqh1h9i3oeU7z5lKRtCDGX3AoRIclW1K9NjHpU0zLoU5QHV+FHyAEphQx0FnuKCAYVSmbE4f -4J0OB+nJujPn/sBVKCwCgKcZ9Z7cVVMDl3sHSP+Z+zeKJMRZzFAQY46qqRqwhBqG+V+7sVBu -pNEKzNVxfh+nG3z1U24iX8sr5tR8Xa7WwsZM5QUB2e1X/MEjefz6yCSDlfO1alEB0HfW6RKh -+RqD+4IbubCX9HYGM0NJoP8Ltfq1AgMBAAGjgYAwfjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUyw/G30JDzD3LtUgjoRp6piq7NGgwHwYDVR0jBBgwFoAU -yw/G30JDzD3LtUgjoRp6piq7NGgwGwYDVR0RBBQwEoEQaW5mb0BlLXN6aWduby5odTANBgkq -hkiG9w0BAQsFAAOCAQEAydEOXi7VzLN8Psv8Pf8NKJWTBMi/2s15uEOQ8KS+7/LvIZi81NRd -BvbuQuwwbKCqqcrxr4r6Pwtzaj7qLkB+H65UYXnrLgg31yPzjJ++HbHhpHXboOJUFLG6HCmk -GPYSuqIUFOMxNchA/7fgBXZXwRxZ8vi/5O0lYlyE8H5+H7O++bchEcwDAVZwpxCSHhs0gR6t -nBrDBDztAmHWHgbzXzqH8ivxRYflPazRx1eEvWuu3Nj5thticAs9NslC8jLXemHm0ts9z8ip -yZvc21hE1284r39406OtGnW6HME2fI8ebRzDdUauNQWm9lw9Ie5W8MmCIi16VKtww30iZYJw -lgAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRyZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIw -MTUAAAF8EFmtSAAFWC41MDkAAAYPMIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCB -pjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNV -BAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENB -IDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkGA1UEBhMCR1Ix -DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh -cmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj -YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/ -TSNTt5AA4xMqKKYx8ZEA4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL -0BgzuNtFajT0AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQ -Ze104S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06CojXd -FPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV9Cz82XBST3i4 -vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrDgfgXy5I2XdGj2HUb4Ysn -6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6Y5ZLKTBOhE5iGV48zpeQpX8B653g -+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargqNhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+O -AXqlD3pk9Q0Yh9muiNX6hME6wGkoLfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZ -SRm2Ekax+0VVFqmjZaycBw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJ -vXVdctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0IXtVs -yIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMIM4GwVhO+5lFc -2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot9L/J9UUbzjgQKjeKeaO0 -4wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2VZ5fkscWrv2oj6NSU4kQoYsRL4vDY -4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/eaj8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK0 -7/grfoxSwIuEVPkvPuNVqNxmsdnhX9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEV -vo2FXDtKK4F5D7Rpn0lQl033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI -/CbM1xyQVqdfbzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evI -IVM4pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHKe7iG -2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0vm9qp/UsQu0y -rbYhnr68AAAAAgAobWljcm9zb2Z0ZWNjcm9vdGNlcnRpZmljYXRlYXV0aG9yaXR5MjAxNwAA -AXwQWa1IAAVYLjUwOQAAAl0wggJZMIIB36ADAgECAhBm8j2vh96LsUrqDFcxAcLsMAoGCCqG -SM49BAMDMGUxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x -NjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAx -NzAeFw0xOTEyMTgyMzA2NDVaFw00MjA3MTgyMzE2MDRaMGUxCzAJBgNVBAYTAlVTMR4wHAYD -VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xNjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9v -dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABNS8 -PQJCdUETI82ABIYCUS9qqIFiC2XM9sqdHm9KZlGiA9mdkfq2FrGMbt58zdt5pi/Ou85xL+Wl -qyjsYwRmmfj68pMQBeGBKELjxmj05huEYEqJr+15DzvO8fZE9QF4wKNUMFIwDgYDVR0PAQH/ -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMjLmXJwUgz45r6yBFcpKs9CEO01 -MBAGCSsGAQQBgjcVAQQDAgEAMAoGCCqGSM49BAMDA2gAMGUCMFjyTeoM+V9e7mApyzry29Yy -hBk/fNUvwrHMk65Quwkyxsbtfsk2lBLkaIUGohvQLwIxAJnpFrQO+lZI1KQwFpF421SMZQGK -51BmwjG3Obq4GiIHTvxrVBYg/yu150wMTaZPcwAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRy -ZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIwMTEAAAF8EFmtSAAFWC41MDkAAAQ1MIIEMTCC -AxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1IxRDBCBgNVBAoTO0hl -bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y -aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRp -b25zIFJvb3RDQSAyMDExMB4XDTExMTIwNjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJ -BgNVBAYTAkdSMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5z -dGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMg -YW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPzdYmNUeTD -N9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJfel3r+0ae50X+bOd -OFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEnsbgzImjeN9/E2YEsmLIKe0Hjz -DQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD75O6aRXxYp2fmTmCobd0LovUxQt7L/DI -Cto9eQqakxylKHJzkUOap9FNhYS5qXSPFEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyN -h+UCAwEAAaOBiTCBhjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU -ppFC/RNhSiOeCKQp5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVk -dTAGggQub3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA -A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p6z0GW5k6 -x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8TqBTnbI6nOulnJEW -tk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7dIsXRSZMFpGD/md9zU1jZ/rz -AxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8AcysNnq/onN694/BtZqhFLKPM58N7yLcZnuE -vUUXBj08yrl3NI/K6s8/MT7jiOOASSXIl7WdmplNsDz4SgCbZN2fOUvRJ9e4AAAAAgAiZ29k -YWRkeXJvb3RjZXJ0aWZpY2F0ZWF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAAA8kwggPF -MIICraADAgECAgEAMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH -QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIElu -Yy4xMTAvBgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIw -HhcNMDkwOTAxMDAwMDAwWhcNMzcxMjMxMjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29t -LCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAt -IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo/eASVjp -IoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1 -gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02 -jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4p -xRyp6V0etp6eMAo5zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s -51iruF9G/M7EGwM8CetJMVxpRrPgRwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUOpqFBxBnKLbv9r0FQW4gwZTaD94wDQYJKoZIhvcNAQEL -BQADggEBAJnbXXnV+ZdZZwNh8X47BjF1LaEgjk9lh7T3ppy82Okv0Nta7s90jHO0OELaBXv4 -AnW4/aWx1672194Ty1MQfopG0Zf6ty4rEauQsCeA+eifWuk3n6vk32yzhRedPdkkT3mRNdZf -BOuAg6uaAi21EPTYkMcEc0DtciWgqZ/snqtoEplXxo8SOgmkvUT9BhU3wZvkMqPtOOjYZPMs -fhT8Auqfzf8HaBfbIpA4LXqN0VTxaeNfM8p6PXsK48p/Xznl4nW6xXYYM84s8C9Mrfex585P -qMSbSlQGxX991QgP4hz+fhe4rF721BayQwkMTfana7SZhGXKeoji4kS+XPfqHPUAAAACAB5l -cGtpcm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAW0MIIFsDCC -A5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJU -VzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kg -Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAw -MjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwg -THRkLjEqMCgGA1UECwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh -ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh -ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3XDZoTM1PR -Yfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1TBnsZfZrxQWh7kcT -1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB -1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTF -pmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8i -QkEeb5mKPtf5P0B6ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhB -md8hh+iVBmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi -nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC -AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQFMAMBAf8w -OQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLHClZ87lt4DJX5GFPB -phzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGBuvl2ICO1J2B01GqZNF5sAFPZ -n/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6YlPwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr -8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkPJXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsS -tZf0X4OFunHB2WyBEXYKCrC/gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEP -NXubrjlpC2JgQCA2j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWv -Y9+rGNm65ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB -o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS/jQ6fbjp -Kdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2zGp1iro2C6pSe3VkQ -w63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTEW9c3rkIO3aQab3yIVMUWbuF6 -aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+DhNQ+IIX3Sj0rnP0qCglN6oH4EZwAAAAC -ACx0cnVzdHdhdmVnbG9iYWxlY2NwMzg0Y2VydGlmaWNhdGlvbmF1dGhvcml0eQAAAXwQWa1I -AAVYLjUwOQAAAqEwggKdMIICJKADAgECAgwIvYWXbJknpIBoRzswCgYIKoZIzj0EAwMwgZEx -CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEhMB8G -A1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYDVQQDEzFUcnVzdHdhdmUgR2xv -YmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE3MDgyMzE5MzY0M1oX -DTQyMDgyMzE5MzY0M1owgZExCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4G -A1UEBxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYD -VQQDEzFUcnVzdHdhdmUgR2xvYmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEa9oNdTUIMUcFrkWZVfEREy5K+BAxI6N+g9N/KAg6 -Jho6z5eCH4C3JwmP0Y4wxAqbDqxYBKv3Nn2UI6SbCoqLq+v9OSVm8V7+jK6NQXmdCWDOKKnT -im3z1kXU8piEOGWgo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYD -VR0OBBYEFFWphInSwTK9GMtspgdOyOedvoKQMAoGCCqGSM49BAMDA2cAMGQCMDcBkpdFEn6g -8z6tGTpy3fRQkwMSvkTST0GkjJydH6P2wpLnSBT+TpulkVeuxjdyuwIwZyUKsQxe7qljkm/l -kAv+ZiLKR/2KMfeD/nq/EL4YKx6P9ikelFnvjiE3y1GYpW5LAAAAAgARZ2xvYmFsc2lnbnJv -b3RlNDYAAAF8EFmtSAAFWC41MDkAAAIPMIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQd -mOhDMAoGCCqGSM49BAMDMEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 -LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2 -MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex -HDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASc -DrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkBjtjqR+q+soArzfwoDdus -vKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGddyXqBPCCjQjBAMA4GA1UdDwEB -/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQxCpCPtsad0kRLgLWi5h+xEk8b -lTAKBggqhkjOPQQDAwNoADBlAjEA31SQ7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZkvLtoURMM -A/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAez -NIm8BZ/3Hobui3AAAAACACRzdGFyZmllbGRyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIA -AAF8EFmtSAAFWC41MDkAAAPhMIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzEL -MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAj -BgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs -ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3 -MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH -EwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw -MAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNH -ttfKPTUuiUP3oWmb3ooa/RMgnLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtr -X8WJpRBSiUZV9Lh1HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/h -bVNMYq/NHwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN -dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0HZbUJtQI -BFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0GCSqGSIb3DQEBCwUAA4IBAQAR -WfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjUsHU48TRqneSfioYmUeYs0cYtbpUgSpIB -7LiKZ3sx4mcujJUDJi5DnUox9g61DLu34jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoN -AX3FWOdt5oUwF5okxBDgBPfg8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6 -nH7PfrHxBy22/L/KpL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztA -gfd9fDL1mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0AAAAAgAoc3NsLmNvbWV2 -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHlyc2FyMgAAAXwQWa1IAAVYLjUwOQAABe8wggXr -MIID06ADAgECAghWtinNNLx49jANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMxDjAM -BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRp -b24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBS -U0EgUjIwHhcNMTcwNTMxMTgxNDM3WhcNNDIwNTMwMTgxNDM3WjCBgjELMAkGA1UEBhMCVVMx -DjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9y -YXRpb24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSBSU0EgUjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCPNmVA4dZNwNe06Uba -a+ozR81M+X19vr0tPfDbeOGGpdm6CVdo7Vc+oNAIQYPnKEEkH+NyFdABGvtecCOyy58548/F -TsaSbSbGe7uz2iedCobpgTcF/vBxcezDHOljohcUne8bZ9OFVQIC1knJzFrhsfdvMp/J1DuI -Qaicvcur2217CR+iTHKQ2isI/M88VM5nD6jPXZYZC8Tjcuut0X0dJ++S6xC/W+s7r8+A3cHS -lgRben6kqTw4dqRijqA5Xup3z10AWY9mLD4HoqMFJhFpl+qFtw+WC0vIQOFQui6Ky/cPmiLn -f5o3E83yTRNrIdHAzCLyoUb2RGmcymE1BwBv1mEIEeq6uPbps2DlTbnsnxRmyVdY282HafiK -hhIDR79mE3asd300JIWDzdeqnJAanyEsf3i3ZLjY6Kb0eLNVy4TSMsR4rqOPYd3OCFOt7Ij8 -FeSaDeafGnfOTI+4FBU9YpyGOAYAZhLkWXZaU8ACmKIQK2hEe455zjNKdqpbgRYbtYrY0AB7 -XmK0CdaGYw6mBZVJuiiLiJOyNBzYpFVutxzQ3plVOyP0IuD5KWYm7CBQd9tKC4++5QJgcEFe -1K5QOSIUJsuyO3N0VUcHeYE5qDATROUEiq6WEyVCD7lTxJv8zeQc3jz6q9YGSh9nppgwHN0s -29wYlVdmxv9ci1b1dwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFPlg -u9Tj1TT2uPUGgCWnc9tGaaieMB0GA1UdDgQWBBT5YLvU49U09rj1BoAlp3PbRmmonjAOBgNV -HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFazjssKnUmOv6TEkbtmFwVRmHX75VAs -ep7xFPqr04o+/5Epj2OL2LSpVAENvpOGL/lKbcde9Vf5ylUcEr5HDzbF32q323XCRyV/ufFj -+GgtVQTR8o2wpM+8PF4feOeloCBwsATFt/dyp94iDb0zJUaMZJIm4z4uY5bam4w9+BgJ1wPM -fYaC4MoEB1FQ1/+S1Qzv2oafmdfrt69o4jkmlLpot7+D0+p6Zz1iZ64l5XLo4uTsrhL2Sys8 -n+mwQPM4VLP9t2jI2saPUTyy+5HcHOebneG3DXKP4qTEqXj56xSsxkMFwmU5KBgCw4KynQW+ -Ze2WX2V0PPsJNS57nBP9Gw9dx22BOlYPzDvhrwIvIqxGykY8oBxM1kS0Xi5cFWYJ4SYp/sZS -Ybqxc//DDJzlbGqUPxTKQBaVhPNZqaxfTGGTbdE7zKKVDCKmZ2dELrnZ0opBs2YLWvt9I6Xy -GrD/3puDlC7RP9+St5GvBTtlx6Bssc1iEsOQG+MlzjS8b3d2sRDD9wUawNavdGJIF3eSaZBh -HN6VgHRUjxgcw/MD0L+kQ3WGUxh6Ci4JHDafkf2CiiJL0Q5QJd3LAwwXyYMACE41TYqL7fAC -lGYsRH/LlSeWF60JMKy2cRduixf2HAnULTuYpXHTVBPZYPP1S2ZP+vHuIBKNtKxXsUVjoax2 -qcL7CnxeFrtkDGW4gmo4NgQZjJ1bHLk= diff --git a/kubernetes/common/cert-wrapper/templates/configmap.yaml b/kubernetes/common/cert-wrapper/templates/configmap.yaml deleted file mode 100644 index 117a4ab718..0000000000 --- a/kubernetes/common/cert-wrapper/templates/configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -{{- $suffix := "certs" }} -metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . ) | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml deleted file mode 100644 index fcece0e3f5..0000000000 --- a/kubernetes/common/cert-wrapper/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -certInitializer: - nameOverride: cert-initializer - createCertsCM: true diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml deleted file mode 100644 index 6b4e0dfdce..0000000000 --- a/kubernetes/common/certInitializer/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Template used to obtain certificates in onap -name: certInitializer -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: readinessCheck - version: ~12.x-0 - repository: 'file://../readinessCheck' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh deleted file mode 100644 index 9cc5ec580e..0000000000 --- a/kubernetes/common/certInitializer/resources/ingress/onboard.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/ -}} - -echo "*** retrieving certificates and keys" -export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) -export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) -export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) -echo "*** creating tls secret" -cat </config/${PFILE}; done - env: - {{- range $cred := $dot.Values.credentials }} - - name: {{ $cred.name }} - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} - {{- end }} - volumeMounts: - - mountPath: /opt/app/config/cache - name: dbc-response-cache - - mountPath: /config-input - name: app-config-input - - mountPath: /config - name: app-config - resources: - limits: - cpu: 200m - memory: 250Mi - requests: - cpu: 100m - memory: 200Mi + resources: {{ include "common.resources" $dot | nindent 4 }} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/kubernetes/common/common/templates/_images.tpl b/kubernetes/common/common/templates/_images.tpl new file mode 100644 index 0000000000..3bbaabc006 --- /dev/null +++ b/kubernetes/common/common/templates/_images.tpl @@ -0,0 +1,121 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Docker Image Registry Secret Names +Original, if common way of image definition: +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "context" $) -}} +*/}} +{{- define "common.imagePullSecrets" -}} +{{- $images := list }} +{{- if .Values.image }} + {{- if kindIs "map" .Values.image -}} + {{- $images = append $images ".Values.image" -}} + {{- end -}} +{{- end -}} +{{- if .Values.metrics }} + {{- if .Values.metrics.image }} + {{- if kindIs "map" .Values.metrics.image -}} + {{- $images = append $images ".Values.metrics.image" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- include "common.images._renderPullSecrets" (dict "images" $images "context" $) -}} +{{- end -}} + +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images._renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + {{- $images := .images }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- range $image := $images -}} + {{- if contains "pullSecret" $image -}} + {{- range $pullSecret := $image.pullSecrets -}} + {{- if kindIs "map" $pullSecret -}} + {{- $pullSecrets = append $pullSecrets $pullSecret.name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets $pullSecret -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- else -}} +imagePullSecrets: [] + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images._version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index d8a944712a..ca23c75896 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -14,6 +14,186 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{/* + Helper function to check, if Ingress is globally enabled +*/}} +{{- define "common.ingressEnabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if Ingress is enabled +*/}} +{{- define "common.ingress._enabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +{{- if (default false $dot.Values.global.ingress.enable_all) -}} +true +{{- else -}} +{{- if $dot.Values.ingress.enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if TLS redirect is enabled +*/}} +{{- define "common.ingress._tlsRedirect" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Provider (default is "ingress") +*/}} +{{- define "common.ingress._provider" -}} +{{- $dot := default . .dot -}} +{{- $provider := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.provider -}} +{{- if ne $dot.Values.global.ingress.provider "" -}} +{{ $provider = $dot.Values.global.ingress.provider }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $provider -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Class (default is "nginx") +*/}} +{{- define "common.ingress._class" -}} +{{- $dot := default . .dot -}} +{{- $class := "nginx" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressClass -}} +{{- if ne $dot.Values.global.ingress.ingressClass "" -}} +{{ $class = $dot.Values.global.ingress.ingressClass }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $class -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Selector (default is "ingress") +*/}} +{{- define "common.ingress._selector" -}} +{{- $dot := default . .dot -}} +{{- $selector := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressSelector -}} +{{- if ne $dot.Values.global.ingress.ingressSelector "" -}} +{{ $selector = $dot.Values.global.ingress.ingressSelector }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $selector -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway, if exists +*/}} +{{- define "common.ingress._commonGateway" -}} +{{- $dot := default . .dot -}} +{{- $gateway := "-" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $gateway = $dot.Values.global.ingress.commonGateway.name }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $gateway -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTP Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "http-80" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTPS Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPSListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "https-443" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpsListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to check the existance of an override value +*/}} +{{- define "common.ingress._overrideIfDefined" -}} + {{- $currValue := .currVal }} + {{- $parent := .parent }} + {{- $var := .var }} + {{- if $parent -}} + {{- if hasKey $parent $var }} + {{- default "" (index $parent $var) }} + {{- else -}} + {{- default "" $currValue -}} + {{- end -}} + {{- else -}} + {{- default "" $currValue }} + {{- end -}} +{{- end -}} + +{{/* + Helper function to get the protocol of the service +*/}} +{{- define "common.ingress._protocol" -}} +{{- $dot := default . .dot -}} +{{- $protocol := "http" -}} +{{- if $dot.tcpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.udpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.protocol }} +{{- $protocol = (lower $dot.protocol) -}} +{{- end -}} +{{- $protocol -}} +{{- end -}} + {{/* Create the hostname as concatination . - baseaddr: from component values: ingress.service.baseaddr @@ -23,50 +203,109 @@ {{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $preaddr := default "" $dot.Values.global.ingress.virtualhost.preaddr -}} +{{- $preaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $preaddr "parent" (default (dict) $dot.Values.ingress) "var" "preaddrOverride") -}} +{{- $postaddr := default "" $dot.Values.global.ingress.virtualhost.postaddr -}} +{{- $postaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $postaddr "parent" (default (dict) $dot.Values.ingress) "var" "postaddrOverride") -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} {{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}} -{{ printf "%s.%s" $baseaddr $burl }} +{{ printf "%s%s%s.%s" $preaddr $baseaddr $postaddr $burl }} {{- end -}} {{/* - Helper function to add the tls route + Istio Helper function to add the tls route */}} -{{- define "ingress.config.tls" -}} +{{- define "istio.config.tls_simple" -}} {{- $dot := default . .dot -}} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} + tls: {{- if $dot.Values.global.ingress.config }} -{{- if $dot.Values.global.ingress.config.ssl }} -{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +{{- if $dot.Values.global.ingress.config.tls }} + credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} + mode: SIMPLE +{{- end -}} + +{{/* + Istio Helper function to add the tls route +*/}} +{{- define "istio.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} tls: httpsRedirect: true - port: number: 443 name: https protocol: HTTPS - tls: -{{- if $dot.Values.global.ingress.config }} -{{- if $dot.Values.global.ingress.config.tls }} - credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} - mode: SIMPLE + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} hosts: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- end }} {{- end }} {{- end }} {{- end }} {{- end -}} +{{/* + Istio Helper function to add the external port of the service +*/}} +{{- define "istio.config.port" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the name of the port, is required." .protocol) -}} +{{- if $dot.exposedPort }} + number: {{ $dot.exposedPort }} +{{- if $dot.exposedProtocol }} + name: {{ $protocol }}-{{ $dot.exposedPort }} + protocol: {{ $dot.exposedProtocol }} +{{- else }} + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- else }} + number: 80 + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- end -}} + +{{/* + Create Port entry in the Gateway resource +*/}} +{{- define "istio.config.gatewayPort" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} + - port: + {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + {{/* Helper function to add the route to the service */}} {{- define "ingress.config.port" -}} {{- $dot := default . .dot -}} -{{ range .Values.ingress.service }} +{{ range $dot.Values.ingress.service }} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: @@ -88,44 +327,67 @@ {{- end -}} {{/* - Helper function to add the route to the service + Istio Helper function to add the route to the service */}} {{- define "istio.config.route" -}} -{{- $dot := default . .dot -}} - http: +{{- $dot := default . .dot -}} +{{- $protocol := (required "'protocol' param, is required." .protocol) -}} +{{- if eq $protocol "tcp" }} + - match: + - port: {{ $dot.exposedPort }} + route: + - destination: + port: + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} + {{- else }} + number: {{ $dot.plain_port }} + {{- end }} + {{- else }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} + {{- else }} + number: {{ $dot.port }} + {{- end }} + {{- end }} + host: {{ $dot.name }} +{{- else if eq $protocol "http" }} - route: - destination: port: - {{- if .plain_port }} - {{- if kindIs "string" .plain_port }} - name: {{ .plain_port }} + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} {{- else }} - number: {{ .plain_port }} + number: {{ $dot.plain_port }} {{- end }} {{- else }} - {{- if kindIs "string" .port }} - name: {{ .port }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} {{- else }} - number: {{ .port }} + number: {{ $dot.port }} {{- end }} {{- end }} - host: {{ .name }} + host: {{ $dot.name }} +{{- end -}} {{- end -}} {{/* Helper function to add ssl annotations */}} {{- define "ingress.config.annotations.ssl" -}} +{{- $class := include "common.ingress._class" (dict "dot" .) }} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.ssl -}} {{- if eq .Values.ingress.config.ssl "redirect" -}} -kubernetes.io/ingress.class: nginx -nginx.ingress.kubernetes.io/ssl-passthrough: "true" -nginx.ingress.kubernetes.io/ssl-redirect: "true" +kubernetes.io/ingress.class: {{ $class }} +{{ $class }}.ingress.kubernetes.io/ssl-passthrough: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "native" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "none" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "false" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} {{- end -}} {{- end -}} @@ -144,51 +406,17 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }} {{- end -}} -{{/* - Helper function to check the existance of an override value -*/}} -{{- define "common.ingress._overrideIfDefined" -}} - {{- $currValue := .currVal }} - {{- $parent := .parent }} - {{- $var := .var }} - {{- if $parent -}} - {{- if hasKey $parent $var }} - {{- default "" (index $parent $var) }} - {{- else -}} - {{- default "" $currValue -}} - {{- end -}} - {{- else -}} - {{- default "" $currValue }} - {{- end -}} -{{- end -}} - -{{/* - Helper function to check, if Ingress is enabled -*/}} -{{- define "common.ingress._enabled" -}} -{{- $dot := default . .dot -}} -{{- if $dot.Values.ingress -}} -{{- if $dot.Values.global.ingress -}} -{{- if (default false $dot.Values.global.ingress.enabled) -}} -{{- if (default false $dot.Values.global.ingress.enable_all) -}} -true -{{- else -}} -{{- if $dot.Values.ingress.enabled -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Create Istio Ingress resources per defined service */}} {{- define "common.istioIngress" -}} -{{- $dot := default . .dot -}} -{{ range $dot.Values.ingress.service }} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{ if or ( eq (include "common.ingress._protocol" (dict "dot" .)) "http" ) ( eq (include "common.ingress._protocol" (dict "dot" .)) "tcp" )}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -196,15 +424,20 @@ metadata: name: {{ $baseaddr }}-gateway spec: selector: - istio: ingressgateway # use Istio default gateway implementation + istio: {{ $selector }} servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{ include "ingress.config.tls" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }} + {{- else }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} + {{ end }} +{{ end }} +{{ end }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService @@ -214,9 +447,287 @@ spec: hosts: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} gateways: +{{- if eq $gateway "-" }} - {{ $baseaddr }}-gateway - {{ include "istio.config.route" . | trim }} -{{- end -}} +{{- else }} + - {{ $gateway }} +{{- end }} +{{- if .tcpRoutes }} + tcp: +{{ range .tcpRoutes }} + {{ include "istio.config.route" (dict "dot" . "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ .protocol }}: + {{ include "istio.config.route" (dict "dot" . "protocol" .protocol) | trim }} + {{- else }} + http: + {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls_simple" -}} +{{- $dot := default . .dot -}} + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + certificateRefs: + - kind: Secret + group: "" + name: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} + mode: Terminate +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + - name: HTTPS-443 + port: 443 + protocol: HTTPS + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create Listener entry in the Gateway resource +*/}} +{{- define "gwapi.config.listener" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $port := default 80 $service.exposedPort -}} + - name: {{ $protocol }}-{{ $port }} + port: {{ $port }} +{{- if $service.exposedProtocol }} + protocol: {{ upper $service.exposedProtocol }} +{{- else }} + protocol: HTTP +{{- end }} + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + allowedRoutes: + namespaces: + from: All +{{- if eq $service.protocol "tcp" }} + kinds: + - kind: TCPRoute +{{- else if eq $service.protocol "tcp" }} + kinds: + - kind: UDPRoute +{{- end }} + {{- include "gwapi.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + +{{/* + Create *Route entry for the Gateway-API +*/}} +{{- define "gwapi.config.route" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) -}} +{{- $namespace := default "istio-ingress" $dot.Values.global.ingress.namespace -}} +{{- $path := default "/" $service.path -}} +{{- if eq $protocol "udp" -}} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: UDPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: udp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "tcp" }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: tcp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "http" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-http-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + sectionName: {{ include "common.ingress._gatewayHTTPSListener" (dict "dot" $dot) }} +{{- else }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} +{{- end }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-redirect-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create GW-API Ingress resources per defined service +*/}} +{{- define "common.gwapiIngress" -}} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: {{ $baseaddr }}-gateway +spec: + gatewayClassName: {{ $dot.Values.global.serviceMesh.engine }} + listeners: +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -224,6 +735,9 @@ spec: */}} {{- define "common.nginxIngress" -}} {{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{ if eq (include "common.ingress._protocol" (dict "dot" $dot)) "http" }} +{{ $baseaddr := required "baseaddr" .baseaddr }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -238,20 +752,20 @@ metadata: spec: rules: {{ include "ingress.config.port" $dot | trim }} -{{- if $dot.Values.ingress.tls }} +{{- if $dot.Values.ingress.tls }} tls: {{ toYaml $dot.Values.ingress.tls | indent 4 }} -{{- end -}} -{{- if $dot.Values.ingress.config -}} -{{- if $dot.Values.ingress.config.tls -}} +{{- end -}} +{{- if $dot.Values.ingress.config -}} +{{- if $dot.Values.ingress.config.tls }} tls: - hosts: - {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }} -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -268,22 +782,29 @@ spec: | true | true | any | ingress | | true | false | true | ingress | - If ServiceMesh (Istio) is enabled the respective resources are created: - - Gateway + If ServiceMesh (Ingress-Provider: Istio) is enabled the respective resources + are created: + - Gateway (optional) - VirtualService + If ServiceMesh (Ingress-Provider: GatewayAPI) is enabled the respective resources + are created: + - Gateway (optional) + - HTTPRoute, TCPRoute, UDPRoute (depending) + If ServiceMesh is disabled the standard Ingress resource is creates: - Ingress */}} {{- define "common.ingress" -}} {{- $dot := default . .dot -}} +{{- $provider := include "common.ingress._provider" (dict "dot" $dot) -}} {{- if (include "common.ingress._enabled" (dict "dot" $dot)) }} -{{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} -{{ include "common.istioIngress" (dict "dot" $dot) }} -{{- end -}} -{{- else -}} +{{- if eq $provider "ingress" -}} {{ include "common.nginxIngress" (dict "dot" $dot) }} +{{- else if eq $provider "istio" -}} +{{ include "common.istioIngress" (dict "dot" $dot) }} +{{- else if eq $provider "gw-api" -}} +{{ include "common.gwapiIngress" (dict "dot" $dot) }} {{- end -}} {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index 993fb7dfac..a690acd141 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -26,6 +26,12 @@ The function takes several arguments (inside a dictionary): {{- define "common.labels" -}} {{- $dot := default . .dot -}} app.kubernetes.io/name: {{ include "common.name" $dot }} +app: {{ include "common.name" $dot }} +{{- if $dot.Chart.AppVersion }} +version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" +{{- else }} +version: "{{ $dot.Chart.Version | replace "+" "_" }}" +{{- end }} {{ if not .ignoreHelmChart }} helm.sh/chart: {{ include "common.chart" $dot }} {{- end }} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl index 369c25b254..993c48239a 100644 --- a/kubernetes/common/common/templates/_log.tpl +++ b/kubernetes/common/common/templates/_log.tpl @@ -29,11 +29,11 @@ mountPath: /usr/share/filebeat/data resources: requests: - memory: "5Mi" cpu: "10m" + memory: "5Mi" limits: - memory: "20Mi" cpu: "100m" + memory: "20Mi" {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 5021c500b0..3092298a7d 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -58,12 +58,27 @@ {{- include "common.mariadb.secret._secretName" (set . "uidTemplate" "common.mariadb.secret.userCredentialsUID") }} {{- end -}} +{{/* + Choose the name of the mariadb app label to use. +*/}} +{{- define "common.mariadbAppName" -}} + {{- if .Values.global.mariadbGalera.localCluster -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- else -}} + {{- .Values.global.mariadbGalera.nameOverride -}} + {{- end -}} +{{- end -}} + {{/* Choose the name of the mariadb service to use. */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} + {{- if and .Values.global.mariadbGalera.useOperator (index .Values "mariadb-galera" "mariadbOperator" "galera" "enabled") }} + {{- printf "%s-primary" (index .Values "mariadb-galera" "nameOverride") -}} + {{- else }} {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- end }} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} @@ -97,3 +112,258 @@ {{- define "common.mariadbSecretParam" -}} {{ printf "password" -}} {{- end -}} + +{{/* + Create MariaDB Database via mariadb-operator +*/}} +{{- define "common.mariadbOpDatabase" -}} +{{- $dot := default . .dot -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Database +metadata: + name: {{ $dbinst }}-{{ $dbname }} +spec: + name: {{ $dbname }} + mariaDbRef: + name: {{ $dbinst }} + characterSet: utf8 + collate: utf8_general_ci + retryInterval: 5s +{{- end -}} + +{{/* + Create MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpUser" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +{{- $dbsecret := (required "'dbsecret' param, is required." .dbsecret) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: User +metadata: + name: {{ $dbinst }}-{{ $dbuser }} +spec: + name: {{ $dbuser }} + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + passwordSecretKeyRef: + name: {{ $dbsecret }} + key: password + # This field is immutable and defaults to 10 + maxUserConnections: 100 + retryInterval: 5s +{{- end -}} + +{{/* + Grant rights to a MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpGrants" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Grant +metadata: + name: {{ $dbuser }}-{{ $dbname }}-{{ $dbinst }} +spec: + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + privileges: + - "ALL" + database: {{ $dbname }} + table: "*" + username: {{ $dbuser }} + retryInterval: 5s + grantOption: true +{{- end -}} + +{{/* + MariaDB Backup via mariadb-operator +*/}} +{{- define "common.mariadbOpBackup" -}} +{{- $dot := default . .dot -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $name := default $dbinst $dot.Values.backup.nameOverride -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Backup +metadata: + name: {{ $name }} +spec: + inheritMetadata: + labels: + sidecar.istio.io/inject: 'false' + backoffLimit: 5 + logLevel: info + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + schedule: + cron: {{ $dot.Values.backup.cron }} + suspend: false + maxRetention: {{ $dot.Values.backup.maxRetention }} + storage: + {{- if eq $dot.Values.backup.storageType "PVC" }} + persistentVolumeClaim: + resources: + requests: + storage: {{ $dot.Values.backup.persistence.size }} + {{- if $dot.Values.mariadbOperator.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.storageClassName }} + {{- end }} + accessModes: + - {{ $dot.Values.backup.persistence.accessMode }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "S3" }} + s3: {{- include "common.tplValue" ( dict "value" .Values.backup.s3 "context" $) | nindent 6 }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "volume" }} + volume: {{- include "common.tplValue" ( dict "value" .Values.backup.volume "context" $) | nindent 6 }} + {{- end }} + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "300m" + memory: "500Mi" +{{- end -}} + +{{/* + Create a MariaDB instance via mariadb-operator +*/}} +{{- define "common.mariadbOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $dbrootsecret := tpl (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.rootUser.externalSecret) $dot -}} +{{- $dbusersecret := tpl (default (include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.db.externalSecret) $dot -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: MariaDB +metadata: + name: {{ $dbinst }} +spec: + podSecurityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + inheritMetadata: + {{ if .Values.podAnnotations -}} + annotations: {{ toYaml .Values.podAnnotations | nindent 6 }} + {{- end }} + labels: + # temporarily test mariaDB without sidecar (fix initial Job, Backup and Metrics) + # will be obsolete with "native-sidecars" feature in K8S and Istio + sidecar.istio.io/inject: "false" + app: {{ $dbinst }} + version: {{ .Values.mariadbOperator.appVersion }} + rootPasswordSecretKeyRef: + name: {{ $dbrootsecret }} + key: password + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbOperator.image }}:{{ $dot.Values.mariadbOperator.appVersion }} + imagePullPolicy: IfNotPresent + {{- include "common.imagePullSecrets" . | nindent 2 }} + port: 3306 + replicas: {{ $dot.Values.replicaCount }} + {{- if $dot.Values.mariadbOperator.galera.enabled }} + galera: + enabled: true + sst: mariabackup + replicaThreads: 1 + agent: + image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ .Values.mariadbOperator.galera.agentImage }}:{{ $dot.Values.mariadbOperator.galera.agentVersion }} + imagePullPolicy: IfNotPresent + port: 5555 + kubernetesAuth: + enabled: true + authDelegatorRoleName: {{ $dbinst }}-auth + gracefulShutdownTimeout: 5s + primary: + automaticFailover: true + podIndex: 0 + recovery: + enabled: true + clusterHealthyTimeout: 30s + clusterBootstrapTimeout: 10m0s + minClusterSize: 50% + podRecoveryTimeout: 3m0s + podSyncTimeout: 3m0s + initContainer: + image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }} + imagePullPolicy: IfNotPresent + config: + reuseStorageVolume: false + volumeClaimTemplate: + {{- if .Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ .Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: 50Mi + accessModes: + - ReadWriteOnce + {{- end }} + livenessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + {{- if default false $dot.Values.global.metrics.enabled }} + metrics: + enabled: true + {{- end }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + tolerations: + - key: k8s.mariadb.com/ha + operator: Exists + effect: NoSchedule + podDisruptionBudget: + maxUnavailable: 50% + updateStrategy: + type: RollingUpdate + + myCnfConfigMapKeyRef: + key: my.cnf + name: {{ printf "%s-configuration" (include "common.fullname" $dot) }} + resources: {{ include "common.resources" . | nindent 4 }} + storage: + {{- if $dot.Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + size: {{ $dot.Values.mariadbOperator.persistence.size | quote }} +{{- if $dot.Values.db.user }} +{{ include "common.mariadbOpUser" (dict "dot" . "dbuser" $dot.Values.db.user "dbinst" $dbinst "dbsecret" $dbusersecret) }} +{{- end }} +{{- if $dot.Values.db.name }} +{{ include "common.mariadbOpDatabase" (dict "dot" . "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- if and $dot.Values.db.user $dot.Values.db.name }} +{{ include "common.mariadbOpGrants" (dict "dot" . "dbuser" $dot.Values.db.user "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index b38a7f1105..810350bfa6 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -45,6 +45,9 @@ - containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} diff --git a/kubernetes/common/common/templates/_postgres.tpl b/kubernetes/common/common/templates/_postgres.tpl index 45d903e574..dcd17c0312 100644 --- a/kubernetes/common/common/templates/_postgres.tpl +++ b/kubernetes/common/common/templates/_postgres.tpl @@ -63,3 +63,89 @@ {{- define "common.postgres.secret.primaryPasswordSecretName" -}} {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.primaryPasswordUID") }} {{- end -}} + +{{/* + Create postgres cluster via postgres crunchydata-operator +*/}} +{{- define "common.postgresOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +--- +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ $dbinst }} + labels: + app: {{ $dbinst }} + version: "5.5" +spec: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePostgres }} + image: {{ .Values.postgresOperator.imagePostgres | quote }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 2 }} + postgresVersion: {{ $dot.Values.postgresOperator.postgresVersion }} + instances: + - name: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + replicas: {{ default 2 .Values.postgresOperator.instanceReplicas }} + dataVolumeClaimSpec: + {{- if .Values.instanceStorageClassName }} + storageClassName: {{ .Values.postgresOperator.instanceStorageClassName | quote }} + {{- end }} + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ default "1Gi" .Values.postgresOperator.instanceSize | quote }} + {{- if or .Values.instanceMemory .Values.postgresOperator.instanceCPU }} + resources: + limits: + cpu: {{ default "" .Values.postgresOperator.instanceCPU | quote }} + memory: {{ default "" .Values.postgresOperator.instanceMemory | quote }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + proxy: + pgBouncer: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePgBouncer }} + image: {{ .Values.postgresOperator.imagePgBouncer | quote }} + {{- end }} + replicas: {{ default 2 .Values.postgresOperator.bouncerReplicas }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/role: pgbouncer + {{- if .Values.postgresOperator.monitoring }} + monitoring: + pgmonitor: + exporter: + image: {{ default "" .Values.postgresOperator.imageExporter | quote }} + {{- if .Values.postgresOperator.monitoringConfig }} +{{ toYaml .Values.monitoringConfig | indent 8 }} + {{- end }} + {{- end }} + users: + - name: postgres +{{- end -}} diff --git a/kubernetes/common/common/templates/_resources.tpl b/kubernetes/common/common/templates/_resources.tpl index fae77435a3..11177c76fb 100644 --- a/kubernetes/common/common/templates/_resources.tpl +++ b/kubernetes/common/common/templates/_resources.tpl @@ -39,21 +39,21 @@ e.g: resources: small: limits: - cpu: 200m - memory: 4Gi + cpu: "200m" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 400m - memory: 8Gi + cpu: "400m" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "200m" + memory: "2Gi" unlimited: {} */ -}} {{- define "common.resources" -}} {{- $flavor := include "common.flavor" . -}} -{{- toYaml (pluck $flavor .Values.resources | first) | indent 12 -}} +{{- toYaml (pluck $flavor .Values.resources | first) -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 7b88af02aa..3db01396ca 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -126,14 +126,14 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: TCP {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%ss-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} -{{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} -{{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} targetPort: {{ $port.name }} @@ -142,20 +142,29 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: {{ default "TCP" $port.l4_protocol }} {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} {{- end }} +{{- if (eq $serviceType "NodePort") }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} +{{- end }} {{- if (and (and (include "common.needTLS" $dot) $add_plain_port) $port.plain_port) }} {{- if (eq $serviceType "ClusterIP") }} - port: {{ $port.plain_port }} targetPort: {{ $port.name }}-plain -{{- if $port.plain_l4_port_protocol }} +{{- if $port.plain_l4_port_protocol }} protocol: {{ $port.plain_port_l4_protocol }} -{{- else }} +{{- else }} protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} {{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} @@ -241,7 +250,7 @@ spec: {{- $both_tls_and_plain:= default false $dot.Values.service.both_tls_and_plain }} {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} -{{- if and (include "common.onServiceMesh" $dot) (eq $serviceType "NodePort") }} +{{- if and (include "common.ingressEnabled" $dot) (eq $serviceType "NodePort") -}} {{- $serviceType = "ClusterIP" }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..de779f8db8 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,81 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: (Mandatory) + namespace: (Optional, will default to onap) + allowedOperationMethods: ("app" corresponds to a key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will not create an authorization policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl new file mode 100644 index 0000000000..a2e9c90a4f --- /dev/null +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -0,0 +1,135 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Create a Strimzi KafkaUser. + Usage: + include "common.kafkauser" . + + Strimzi kafka provides cluster access via its custom resource definition KafkaUser + which is deployed using its User Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml + This allows fine grained access control per user towards the kafka cluster. + See more info here - https://strimzi.io/docs/operators/latest/configuring.html#proc-configuring-kafka-user-str + + The kafka user definition is defined as part of .Values per component. + For general use by OOM components, the following list of acl types should suffice: + type: group (Used by the client app to be added to a particular kafka consumer group) + type: topic (1 or more kafka topics that the client needs to access. Commonly [Read,Write]) + + Note: The template will use the following default values. + + spec.authentication.type: scram-sha-512 (dictated by the available broker listeners on the kafka cluster) + spec.authorization.type: simple (Only type supported by strimzi at present) + spec.authorization.acls.resource.patternType: literal + + Example: + + kafkaUser: + acls: + - name: sdc (mandatory) + suffix: mysuffix (optional. Will be appended (with a hyphen) to the "name" entry. ie "sdc-mysuffix") + type: group (mandatory. Type "group" is used by the client as it's kafka consumer group) + operations: [Read] (mandatory. List of at least 1) + - name: SDC-DISTR + type: topic + patternType: prefix (optional. In this example, the user will be provided Read and Write access to all topics named "SDC-DISTR*") + operations: [Read, Write] +*/}} +{{- define "common.kafkauser" -}} +{{- $global := .global }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.name" . }}-ku + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.kafkaUser.authenticationType | default "scram-sha-512" }} + authorization: + type: {{ .Values.kafkaUser.authorizationType | default "simple" }} + acls: + {{- range $acl := .Values.kafkaUser.acls }} + - resource: + type: {{ $acl.type }} + patternType: {{ $acl.patternType | default "literal" }} + name: {{ ternary (printf "%s-%s" $acl.name $acl.suffix) $acl.name (hasKey $acl "suffix") }} + operations: + {{- range $operation := $acl.operations }} + - {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* + Create a Strimzi KafkaTopic. + Usage: + include "common.kafkatopic" . + + Strimzi kafka provides kafka topic management via its custom resource definition KafkaTopic + which is deployed using its Topic Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/043-Crd-kafkatopic.yaml + + Note: KafkaTopic names should adhere to kubernetes object naming conventions - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ + maximum length of 253 characters and consist of lower case alphanumeric characters, -, and . + + Note: The template will use the following default values. + + spec.config.retention.ms: 7200000 (defaults to 2 hrs retention for kafka topic logs) + spec.config.segment.bytes: 1073741824 (defaults to 1gb) + spec.partitions: 6 (defaults to (2 * (default.replication.factor)) defined by the strimzi broker conf) + spec.replicas: 3 (defaults to default.replication.factor defined by the strimzi broker conf. Must be > 0 and <= (num of broker replicas)) + + The kafka topic definition is defined as part of .Values per component. + + Example: + + kafkaTopic: + - name: my-new-topic (mandatory) + retentionMs: 7200000 (optional. Defaults to 2hrs) + segmentBytes: 1073741824 (optional. Defaults to 1gb) + suffix: my-suffix (optional. Will be appended (with a hyphen) to the "name" value. ie "my-new-topic-my-suffix") + - name: my.other.topic + suffix: some.other-suffix +*/}} +{{- define "common.kafkatopic" -}} +{{- $global := .global }} +{{- range $topic := .Values.kafkaTopic }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + {{- if (hasKey $topic "strimziTopicName") }} + name: {{ ($topic.strimziTopicName) }}-kt + {{- else }} + name: {{ ($topic.name) | lower }}-kt + {{- end }} + labels: + strimzi.io/cluster: {{ include "common.release" $ }}-strimzi +spec: + {{- if (hasKey $topic "partitions") }} + partitions: {{ $topic.partitions }} + {{- end }} + {{- if (hasKey $topic "replicas") }} + replicas: {{ $topic.replicas }} + {{- end }} + topicName: {{ ternary (printf "%s-%s" $topic.name $topic.suffix) $topic.name (hasKey $topic "suffix") }} + config: + retention.ms: {{ $topic.retentionMs | default "7200000" }} + segment.bytes: {{ $topic.segmentBytes | default "1073741824"}} +--- +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_tplvalues.tpl b/kubernetes/common/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..0c6dbec859 --- /dev/null +++ b/kubernetes/common/common/templates/_tplvalues.tpl @@ -0,0 +1,49 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues._render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues._merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues._merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues._render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/dgbuilder/.helmignore b/kubernetes/common/dgbuilder/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/dgbuilder/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/dgbuilder/Chart.yaml b/kubernetes/common/dgbuilder/Chart.yaml deleted file mode 100644 index 5884211147..0000000000 --- a/kubernetes/common/dgbuilder/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: D.G. Builder application -name: dgbuilder -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: serviceAccount - version: ~12.x-0 - repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/resources/config/customSettings.js b/kubernetes/common/dgbuilder/resources/config/customSettings.js deleted file mode 100644 index b6a1a8636a..0000000000 --- a/kubernetes/common/dgbuilder/resources/config/customSettings.js +++ /dev/null @@ -1,61 +0,0 @@ -/* Copyright © 2017 AT&T, Amdocs, Bell Canada -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -module.exports={ - "name": "Release sdnc1.0", - "emailAddress": "dguser@onap.org", - "uiPort": 3100, - "mqttReconnectTime": 15000, - "serialReconnectTime": 15000, - "debugMaxLength": 1000, - "htmlPath": "releases/sdnc1.0/html/", - "xmlPath": "releases/sdnc1.0/xml/", - "flowFile": "releases/sdnc1.0/flows/flows.json", - "sharedDir": "releases/sdnc1.0/flows/shared", - "userDir": "releases/sdnc1.0", - "httpAuth": { - "user": "${HTTP_USER}", - "pass": "${HTTP_PASSWORD}" - }, - "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", - "dbPort": "3306", - "dbName": "{{.Values.config.db.dbName}}", - "dbUser": "${DB_USER}", - "dbPassword": "${DB_PASSWORD}", - "gitLocalRepository": "", - "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", - "restConfUser": "${REST_CONF_USER}", - "restConfPassword": "${REST_CONF_PASSWORD}", - "formatXML": "Y", - "formatJSON": "Y", - "httpRoot": "/", - "disableEditor": false, - "httpAdminRoot": "/", - "httpAdminAuth": { - "user": "${HTTP_ADMIN_USER}", - "pass": "${HTTP_ADMIN_PASSWORD}" - }, - "httpNodeRoot": "/", - "httpNodeAuth": { - "user": "${HTTP_NODE_USER}", - "pass": "${HTTP_NODE_PASSWORD}" - }, - "uiHost": "0.0.0.0", - "version": "0.9.1", - {{ if .Values.global.aafEnabled }} - "enableHttps" : true, - {{ end }} - "performGitPull": "N" -} diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml deleted file mode 100644 index 6538ad0836..0000000000 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ /dev/null @@ -1,144 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - - name: HTTP_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} - - name: HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} - - name: HTTP_ADMIN_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} - - name: HTTP_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} - - name: HTTP_NODE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} - - name: HTTP_NODE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} - - name: REST_CONF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} - - name: REST_CONF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: config-input - - mountPath: /config - name: config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.config.dbPodName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && {{ if .Values.global.aafEnabled}} cp /opt/app/osaaf/local/node-*.pem certs && {{end}}./start.sh sdnc1.0 && wait"] - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: SDNC_CONFIG_DIR - value: /opt/onap/sdnc/data/properties - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: config - mountPath: /opt/app/application.properties - subPath: application.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js - subPath: customSettings.js - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/dgbuilder/templates/service.yaml b/kubernetes/common/dgbuilder/templates/service.yaml deleted file mode 100644 index bfe8b0aeb5..0000000000 --- a/kubernetes/common/dgbuilder/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml deleted file mode 100644 index b295026ae9..0000000000 --- a/kubernetes/common/dgbuilder/values.yaml +++ /dev/null @@ -1,193 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: Always - - # default mount path root directory referenced - # by persistent volumes and log files - persistence: - mountPath: /dockerdata-nfs - - # flag to enable debugging - application support required - debugEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-root-password' - type: password - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.db.rootPassword }}' - - uid: 'db-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: 'http-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' - login: '{{ .Values.config.httpUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'admin-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' - login: '{{ .Values.config.adminUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'node-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' - login: '{{ .Values.config.nodeUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'restconf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' - login: '{{ .Values.config.restconfUser }}' - password: '{{ .Values.config.restconfPassword }}' - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-dgbuilder-image:1.4.1 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - db: - dbName: sdnctl - # unused for now to preserve the API - rootPassword: openECOMP1.0 - # rootPasswordExternalSecret: some secret - userName: sdnctl - # unused for now to preserve the API - userPassword: gamma - # userCredentialsExternalSecret: some secret - httpUser: dguser - # unused for now to preserve the API - httpPassword: cc03e747a6afbbcbf8be7668acfebee5 - # httpCredsExternalSecret: some secret - adminUser: dguser - # unused for now to preserve the API - adminPassword: cc03e747a6afbbcbf8be7668acfebee5 - # adminCredsExternalSecret: some secret - nodeUser: dguser - # unused for now to preserve the API - nodePassword: cc03e747a6afbbcbf8be7668acfebee5 - # nodeCredsExternalSecret: some secret - restconfUser: admin - # unused for now to preserve the API - restconfPassword: admin - # restconfCredsExternalSecret: some secret - - dbPodName: mysql-db - dbServiceName: sdnc-dbhost - # MD5 hash of dguser password ( default: test123 ) - dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: dgbuilder - portName: http - externalPort: 3000 - internalPort: 3100 - nodePort: 28 - -ingress: - enabled: false - service: - - baseaddr: "dgbuilder" - name: "dgbuilder" - port: 3000 - config: - ssl: "redirect" - - # dependency / sub-chart configuration -certInitializer: - nameOverride: dgbuilder-cert-initializer - truststoreMountpath: /opt/onap/ccsdk/dgbuilder/certs - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "dgbuilder.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd /opt/app/osaaf/local; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1 ; - cp {{ .Values.fqi_namespace }}.crt node-cert.pem; - cp {{ .Values.fqi_namespace }}.key node-key.pem; - chmod go+r node-*.pem - -#Resource Limit flavor -By Default using small -flavor: small -#segregation for different envionment (Small and Large) - -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dgbuilder - roles: - - read diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index cc0271165d..82c8ccd056 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -18,26 +18,23 @@ apiVersion: v2 description: ONAP elasticsearch name: elasticsearch -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: master - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/master' - name: data - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/data' condition: elasticsearch.data.enabled,data.enabled - name: curator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml index 96f75a1c5d..39780f2e83 100644 --- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch curator name: curator -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml index 62964ff973..00f113b5bb 100644 --- a/kubernetes/common/elasticsearch/components/curator/values.yaml +++ b/kubernetes/common/elasticsearch/components/curator/values.yaml @@ -123,11 +123,11 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" priorityClassName: "" # extraVolumes and extraVolumeMounts allows you to mount other volumes # Example Use Case: mount ssl certificates when elasticsearch has tls enabled diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml index 1b42a19078..d49a21085b 100644 --- a/kubernetes/common/elasticsearch/components/data/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch data name: data -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml index a7278ba104..e6c5a87f5c 100644 --- a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml @@ -34,8 +34,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/kubernetes/common/elasticsearch/components/data/values.yaml b/kubernetes/common/elasticsearch/components/data/values.yaml index 1dc9ab8588..3f9992aaba 100644 --- a/kubernetes/common/elasticsearch/components/data/values.yaml +++ b/kubernetes/common/elasticsearch/components/data/values.yaml @@ -105,11 +105,11 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 25m - memory: 1152Mi + cpu: "25m" + memory: "1.1Gi" ## Elasticsearch data container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml index 5ff277d12b..73d59075e3 100644 --- a/kubernetes/common/elasticsearch/components/master/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP elasticsearch master name: master -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml index 85ea2bbc54..8ee0fc50db 100644 --- a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml @@ -32,8 +32,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/kubernetes/common/elasticsearch/components/master/values.yaml b/kubernetes/common/elasticsearch/components/master/values.yaml index a2ec7b92db..a3a219ee31 100644 --- a/kubernetes/common/elasticsearch/components/master/values.yaml +++ b/kubernetes/common/elasticsearch/components/master/values.yaml @@ -108,13 +108,13 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: - cpu: 250m - memory: 1536Mi - # cpu: 100m - # memory: 128Mi + cpu: "250m" + memory: "1.5Gi" + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 5m - memory: 310Mi + cpu: "5m" + memory: "300Mi" ## Elasticsearch master-eligible container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index 49ce0ef76a..e7520aeed6 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -21,11 +21,5 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: server-block.conf: |- -{{ if .Values.global.aafEnabled }} -{{ .Values.nginx.serverBlock.https | indent 4 }} -{{ else }} {{ .Values.nginx.serverBlock.http | indent 4 }} - - -{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml index 05e09cb696..0bc6de2b9b 100644 --- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -30,8 +30,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} @@ -64,7 +63,6 @@ spec: securityContext: privileged: true {{- end }} - {{ include "common.certInitializer.initContainer" . | nindent 8 }} containers: - name: {{ include "common.name" . }}-nginx @@ -85,7 +83,6 @@ spec: - name: nginx-server-block mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} - {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - name: {{ include "common.name" . }}-elasticsearch image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -172,4 +169,3 @@ spec: configMap: name: {{ include "common.fullname" . }}-nginx-server-block {{- end }} - {{ include "common.certInitializer.volumes" . | nindent 8 }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index 6c46f32c96..7851f2804f 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -17,7 +17,6 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 302 clusterName: cluster.local @@ -95,11 +94,11 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 25m - memory: 256Mi + cpu: "25m" + memory: "200Mi" ## Elasticsearch coordinating-only container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -260,30 +259,6 @@ service: ## Provide functionality to use RBAC ## -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: elasticsearch-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "elastic" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.elastic" - fqi: "elastic@elastic.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd {{ .Values.credsPath }}; - mkdir -p certs; - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; - ################################################################# # subcharts configuration defaults. ################################################################# diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index a76d534d59..166b4172d3 100644 --- a/kubernetes/common/etcd-init/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -17,12 +17,15 @@ apiVersion: v2 description: Chart for etcd init job name: etcd-init -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 9d7dcc26da..71f912e201 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -27,6 +27,12 @@ spec: backoffLimit: {{ .Values.backoffLimit }} template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} @@ -37,8 +43,8 @@ spec: command: - /app/ready.py args: - - --container-name - - {{ .Values.etcd.containerName }} + - --service-name + - {{ .Values.etcd.serviceName }} env: - name: NAMESPACE valueFrom: @@ -47,6 +53,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -86,11 +99,7 @@ spec: value: "{{ .Values.config.appRole }}" - name: KEY_PREFIX value: "{{ .Values.config.keyPrefix }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} @@ -98,10 +107,6 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml index 6ccfb3e5d7..33e34fd086 100644 --- a/kubernetes/common/etcd-init/values.yaml +++ b/kubernetes/common/etcd-init/values.yaml @@ -59,20 +59,26 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 20m - memory: 20Mi + cpu: "20m" + memory: "20Mi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: etcd-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index e038e26a48..02fc2c0603 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 name: etcd home: https://github.com/coreos/etcd -version: 12.0.0 +version: 13.0.0 appVersion: 2.2.5 description: Distributed reliable key-value store for the most critical data of a distributed system. @@ -27,8 +27,8 @@ sources: dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/etcd/templates/service.yaml b/kubernetes/common/etcd/templates/service.yaml index 04fc93af00..006378f631 100644 --- a/kubernetes/common/etcd/templates/service.yaml +++ b/kubernetes/common/etcd/templates/service.yaml @@ -19,7 +19,6 @@ kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -metadata: name: {{ include "common.servicename" . }} labels: heritage: "{{ .Release.Service }}" @@ -34,6 +33,6 @@ spec: port: {{ .Values.service.clientInternalPort }} clusterIP: None selector: - app: {{ include "common.name" . }} - release: "{{ include "common.release" . }}" + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index ff11da309a..722a27d791 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -15,26 +15,13 @@ */}} apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - serviceName: {{ include "common.servicename" .}} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.affinity }} affinity: @@ -48,8 +35,7 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} @@ -67,8 +53,7 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: INITIAL_CLUSTER_SIZE value: {{ .Values.replicaCount | quote }} diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml index 8207803af3..a5790a4d62 100644 --- a/kubernetes/common/logConfiguration/Chart.yaml +++ b/kubernetes/common/logConfiguration/Chart.yaml @@ -17,9 +17,9 @@ apiVersion: v2 description: Template used to create same STDOUT log configuration name: logConfiguration -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 587fa38302..c5bb0aaf94 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 12.0.0 +version: 13.2.0 keywords: - mariadb - mysql @@ -29,14 +29,15 @@ keywords: dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../readinessCheck' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' - name: serviceAccount - version: ~12.x-0 - repository: 'file://../serviceAccount' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../serviceAccount' + condition: global.mariadbGalera.enableServiceAccount \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml index 4248cfe85c..877e6faaa6 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml @@ -15,6 +15,9 @@ # limitations under the License. */}} +{{- if and .Values.backup.enabled .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpBackup" . }} +{{ else }} {{- if and .Values.backup.enabled .Values.persistence.enabled }} apiVersion: batch/v1beta1 kind: CronJob @@ -29,6 +32,13 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{ include "common.podSecurityContext" . | indent 10 | trim}} @@ -77,7 +87,7 @@ spec: env: - name: DB_PASS {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mariadb.secret.rootPassUID" .) "key" "password") | indent 18 }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - name: backup-dir mountPath: /backup @@ -148,23 +158,16 @@ spec: ls -tr | grep backup | head -$filestoDelete | xargs rm -rf fi fi - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - mountPath: /bitnami/mariadb/data name: tmp-data - mountPath: /opt/bitnami/mariadb/tmp name: tmp - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-dir mountPath: /backup - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 10 }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: data persistentVolumeClaim: {{- if .Values.persistence.existingClaim }} @@ -180,3 +183,4 @@ spec: - name: tmp emptyDir: {} {{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml index 30eb74b059..d5e26109e7 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.backup.persistence.enabled (not .Values.backup.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} @@ -41,3 +43,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml index 5dd8a3f52f..4c2bfcd389 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} --- @@ -45,3 +47,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index c95a234fb7..0aa0a63f0a 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -15,7 +15,20 @@ # limitations under the License. */}} -{{ if .Values.mariadbConfiguration }} +{{- if .Values.global.mariadbGalera.useOperator }} +{{ if .Values.mariadbOpConfiguration }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.fullname" .) }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: + my.cnf: | +{{ .Values.mariadbOpConfiguration | indent 4 }} +{{- end }} +{{- else }} +{{ if .Values.mariadbConfiguration }} apiVersion: v1 kind: ConfigMap metadata: @@ -25,4 +38,5 @@ metadata: data: my.cnf: | {{ .Values.mariadbConfiguration | indent 4 }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/mariadb.yaml b/kubernetes/common/mariadb-galera/templates/mariadb.yaml new file mode 100644 index 0000000000..ce09c9ff06 --- /dev/null +++ b/kubernetes/common/mariadb-galera/templates/mariadb.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpInstance" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml index 841aab3e17..d37aeb1751 100644 --- a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml +++ b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml @@ -14,7 +14,9 @@ # limitations under the License. */}} -{{- if default false .Values.global.metrics.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if default false .Values.global.metrics.enabled }} +--- apiVersion: v1 kind: Service metadata: @@ -31,4 +33,5 @@ spec: port: {{ .Values.metrics.service.port }} targetPort: tcp-metrics selector: {{- include "common.matchLabels" . | nindent 4 }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml index 4697934879..734f03f237 100644 --- a/kubernetes/common/mariadb-galera/templates/pdb.yaml +++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml @@ -14,17 +14,19 @@ # limitations under the License. */}} -{{- if .Values.podDisruptionBudget.create }} -apiVersion: policy/v1beta1 +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.podDisruptionBudget.create }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: -{{- if .Values.podDisruptionBudget.minAvailable }} +{{- if .Values.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} -{{- end }} +{{- end }} selector: matchLabels: {{- include "common.matchLabels" . | nindent 6 }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/pv.yaml b/kubernetes/common/mariadb-galera/templates/pv.yaml index 54a02cf2db..129b5b26c7 100644 --- a/kubernetes/common/mariadb-galera/templates/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/pv.yaml @@ -15,4 +15,6 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/service.yaml b/kubernetes/common/mariadb-galera/templates/service.yaml index 9b4c05ef70..e1a910557f 100644 --- a/kubernetes/common/mariadb-galera/templates/service.yaml +++ b/kubernetes/common/mariadb-galera/templates/service.yaml @@ -15,11 +15,13 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.service" . }} --- {{ include "common.headlessService" . }} +{{- end }} {{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} +{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication @@ -29,9 +31,13 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ include "common.servicename" . }} + app: {{ include "common.servicename" . }} portLevelMtls: - {{ .Values.service.internalPort }}: + '{{ .Values.service.internalPort }}': +{{- if .Values.mariadbOperator.galera.enabled }} + mode: STRICT +{{- else }} mode: DISABLE -{{- end}} -{{- end}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 6d1ed40e13..4cbf7b394f 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} -{{- if .Values.metrics.serviceMonitor.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index c95b572465..70cc0c34bd 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -18,6 +18,7 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -220,8 +221,7 @@ spec: {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.schedulerName }} schedulerName: {{ .Values.schedulerName | quote }} {{- end }} @@ -266,3 +266,4 @@ spec: volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index e9fe577233..3d9725cb43 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -15,6 +15,25 @@ # See the License for the specific language governing permissions and # limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + clusterDomain: cluster.local + metrics: {} + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + nameOverride: mariadb-galera + service: mariadb-galera ################################################################# # Secrets metaconfig @@ -35,21 +54,111 @@ secrets: login: '{{ .Values.galera.mariabackup.user }}' password: '{{ .Values.galera.mariabackup.password }}' +mariadbOperator: + image: mariadb + appVersion: 11.2.2 + persistence: + #storageClassName: default + size: 3Gi + galera: + enabled: true + agentImage: mariadb-operator/mariadb-operator + agentVersion: v0.0.27 + initImage: mariadb-operator/mariadb-operator + initVersion: v0.0.27 + +## String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: mariadb-galera + +## Custom db configuration +## +db: + ## MariaDB username and password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: my-user + # password: + # externalSecret: + ## Database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + # name: my_database + +## Desired number of cluster nodes +## +replicaCount: 3 + +## Additional pod annotations for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## -> here required to enable mariadb-galera in istio +## +podAnnotations: + # sidecar.istio.io/inject: "false" + traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" + traffic.sidecar.istio.io/includeInboundPorts: '*' + traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568,443" + +mariadbOpConfiguration: |- + [mysqld] + max_allowed_packet=256M + lower_case_table_names = 1 + + ## Character set + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Caches and Limits + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + +########################################################################################## +# !!! the following configuration entries are ignored, when mariadbOperator is enabled !!! +########################################################################################## # bitnami image doesn't support well single quote in password passwordStrengthOverride: basic -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: - mountPath: /dockerdata-nfs - backup: - mountPath: /dockerdata-nfs/backup - clusterDomain: cluster.local - metrics: {} - image: bitnami/mariadb-galera:10.5.8 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -66,10 +175,6 @@ debug: true ## actions performed on the databases are tried to be done before actual start. init_sleep_time: 5 -## String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: mariadb-galera - ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -129,22 +234,6 @@ rootUser: # password: # externalSecret: -## Custom db configuration -## -db: - ## MariaDB username and password - ## Password is ignored if externalSecret is specified. - ## If not set, password will be "randomly" generated - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run - ## - user: my-user - # password: - # externalSecret: - ## Database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run - ## - # name: my_database - ## Galera configuration ## galera: @@ -178,8 +267,16 @@ galera: ## For this reason the db data pvc needs to have accessMode: ReadWriteMany. backup: enabled: false + # used in the mariadb-operator to override the backup name (default is DBName) + # nameOverride: + # defines the backup job execution period cron: "00 00 * * *" + # used by mariadb-operator to set the max retention time + maxRetention: 720h retentionPeriod: 3 + # used by mariadb-operator to set the backup storage type (PVC, S3, volume) + storageType: PVC + # configuration used for PVC backup storage persistence: ## If true, use a Persistent Volume Claim, If false, use emptyDir ## @@ -208,11 +305,32 @@ backup: ## Persistent Volume size ## size: 2Gi - + # requires mariadb-operator v0.24.0 + # configuration used for S3 backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + s3: + bucket: backups + endpoint: minio.minio.svc.cluster.local:9000 + #region: us-east-1 + accessKeyIdSecretKeyRef: + name: minio + key: access-key-id + secretAccessKeySecretKeyRef: + name: minio + key: secret-access-key + tls: + enabled: false + caSecretKeyRef: + name: minio-ca + key: ca.crt + # configuration used for kubernetes volumes as backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + volume: {} readinessCheck: wait_for: - - '{{ include "common.name" . }}' + services: + - '{{ include "common.servicename" . }}' ## TLS configuration ## @@ -368,26 +486,12 @@ mariadbConfiguration: |- ## ## extraFlags: "--max-connect-errors=1000 --max_connections=155" -## Desired number of cluster nodes -## -replicaCount: 3 - ## updateStrategy for MariaDB Master StatefulSet ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## updateStrategy: type: RollingUpdate -## Additional pod annotations for MariaDB Galera pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -> here required to enable mariadb-galera in istio -## -podAnnotations: - # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" - traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568" - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard @@ -488,18 +592,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 500m - memory: 2Gi + cpu: "500m" + memory: "2Gi" large: limits: - cpu: 2 - memory: 6Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" unlimited: {} ## MariaDB Galera containers' liveness and readiness probes @@ -564,11 +668,11 @@ metrics: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" requests: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index 32e6762b63..fa89a669d2 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -17,12 +17,18 @@ apiVersion: v2 description: Chart for MariaDB Galera init job name: mariadb-init -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index e911d46d12..4bb142d001 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -31,26 +31,18 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ default .Values.global.mariadbGalera.nameOverride .Values.mariadbGalera.containerName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.image.mariadb" . }} @@ -82,17 +74,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" $root "uid" $db "key" "password") | indent 10 }} {{ end }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: mariadb-init mountPath: /db_init/ {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - name: mariadb-conf mountPath: /db_config/ {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -102,10 +90,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - name: mariadb-conf configMap: @@ -121,5 +107,4 @@ spec: name: {{ include "mariadbInit.configMap" . }} defaultMode: 0755 restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/mariadb-init/tests/job_test.yaml b/kubernetes/common/mariadb-init/tests/job_test.yaml index 170eaf3c96..cff8f947f8 100644 --- a/kubernetes/common/mariadb-init/tests/job_test.yaml +++ b/kubernetes/common/mariadb-init/tests/job_test.yaml @@ -36,7 +36,7 @@ tests: content: mariadb-galera - equal: path: spec.template.spec.initContainers[0].image - value: nexus3.onap.org:10001/onap/oom/readiness:3.0.1 + value: nexus3.onap.org:10001/onap/oom/readiness:6.0.3 - equal: path: spec.template.spec.initContainers[0].imagePullPolicy value: IfNotPresent diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 9104dd84d6..57dfb400c4 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -63,6 +63,27 @@ mariadbGalera: {} # userRootSecret: some-secret-name # userRootSecretKey: password +# These are default settings, required for a chart compilation with "local" cluster +# setting. These values need to be overwritten in the component's values.yaml, e.g. +# global: +# mariadbGalera: &mariadbGalera +# #This flag allows SO to instantiate its own mariadb-galera cluster +# localCluster: true +# service: nbi-galera +# internalPort: 3306 +# nameOverride: nbi-galera +# mariadb-init: +# mariadb-galera: +# nameOverride: nbi-galera +# service: +# internalPort: 3306 +mariadb-galera: + service: + internalPort: 3306 + nameOverride: mariadb-galera + mariadbOperator: + galera: + enabled: false config: userPassword: Ci@shsOd3pky1Vji @@ -104,20 +125,31 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 20m - memory: 20Mi + cpu: "20m" + memory: "20Mi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: mariadb-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/common/mongo/.helmignore b/kubernetes/common/mongo/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/mongo/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/mongo/Chart.yaml b/kubernetes/common/mongo/Chart.yaml deleted file mode 100644 index 180af14e98..0000000000 --- a/kubernetes/common/mongo/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright © 2018, 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MongoDB Server -name: mongo -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/mongo/templates/pv.yaml b/kubernetes/common/mongo/templates/pv.yaml deleted file mode 100644 index 9d40144ed5..0000000000 --- a/kubernetes/common/mongo/templates/pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/mongo/templates/service.yaml b/kubernetes/common/mongo/templates/service.yaml deleted file mode 100644 index e8894c2b59..0000000000 --- a/kubernetes/common/mongo/templates/service.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None ---- -# Client service for connecting to any Mongo instance for reads. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-read - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} -spec: - ports: - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -{{ if .Values.geoEnabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-nodeport - namespace: {{ include "common.namespace" . }} - labels: - statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 -spec: - ports: - - name: {{ .Values.service.internalPort }} - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort1 }} - - name: {{ .Values.xtrabackup.internalPort }} - port: {{ .Values.xtrabackup.internalPort }} - targetPort: {{ .Values.xtrabackup.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort2 }} - type: NodePort - selector: - statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 - release: {{ include "common.release" . }} -{{ end }} diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml deleted file mode 100644 index e156db27db..0000000000 --- a/kubernetes/common/mongo/templates/statefulset.yaml +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ .Values.service.name }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: -{{ include "common.podSecurityContext" . | indent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - # we shouldn't need this but for unknown reason, it's fsGroup is not - # applied - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - docker-entrypoint.sh - args: - - --nounixsocket - env: - - name: MONGO_INITDB_DATABASE - value: "{{ .Values.config.dbName }}" - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - mongo - - --eval - - "db.adminCommand('ping')" - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /data/db - resources: {{ include "common.resources" . | nindent 12 }} -{{ include "common.containerSecurityContext" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- else }} - volumes: - - name: {{ include "common.fullname" . }}-data - emptyDir: {} - {{- end }} diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml deleted file mode 100644 index caab71890d..0000000000 --- a/kubernetes/common/mongo/values.yaml +++ /dev/null @@ -1,121 +0,0 @@ -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - - -################################################################# -# Application configuration defaults. -################################################################# - -image: library/mongo:4.4.10 -pullPolicy: Always - -# application configuration -config: - dbName: mongo -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: false - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: "mongo/data" - -service: - name: mongo - portName: mongo - internalPort: 27017 - # nfs provisioner ports - nfsPort: 2049 - mountdPort: 20048 - rpcbindPort: 111 - rpcbindUdpPort: 111 - -securityContext: - user_id: 999 - group_id: 999 - -ingress: - enabled: false - - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 200Mi - requests: - cpu: 10m - memory: 50Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -sdnctlPrefix: mongo - -geoEnabled: false -geoSiteId: 1 diff --git a/kubernetes/common/mongodb/.helmignore b/kubernetes/common/mongodb/.helmignore new file mode 100644 index 0000000000..fb56657ab4 --- /dev/null +++ b/kubernetes/common/mongodb/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml new file mode 100644 index 0000000000..73c8bab5c2 --- /dev/null +++ b/kubernetes/common/mongodb/Chart.yaml @@ -0,0 +1,43 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Database + licenses: Apache-2.0 + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r1 + - name: mongodb + image: docker.io/bitnami/mongodb:7.0.5-debian-12-r4 + - name: mongodb-exporter + image: docker.io/bitnami/mongodb-exporter:0.40.0-debian-12-r11 + - name: nginx + image: docker.io/bitnami/nginx:1.25.4-debian-12-r1 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r15 +apiVersion: v2 +appVersion: 7.0.5 +dependencies: +- name: common + repository: 'file://./common' + #repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png +keywords: +- mongodb +- database +- nosql +- cluster +- replicaset +- replication +maintainers: +- name: VMware, Inc. + url: https://github.com/bitnami/charts +name: mongodb +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/mongodb +version: 14.12.2 diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md new file mode 100644 index 0000000000..065e047fdc --- /dev/null +++ b/kubernetes/common/mongodb/README.md @@ -0,0 +1,1120 @@ + + +# MongoDB(R) packaged by Bitnami + +MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. + +[Overview of MongoDB®](http://www.mongodb.org) + +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +``` + +Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + +## Introduction + +This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +### Standalone architecture + +The *standalone* architecture installs a deployment (or StatefulSet) with one MongoDB® server (it cannot be scaled): + +```text + ---------------- + | MongoDB® | + | svc | + ---------------- + | + v + ------------ + |MongoDB®| + | Server | + | Pod | + ----------- +``` + +### Replicaset architecture + +The chart also supports the *replicaset* architecture with and without a MongoDB(®) Arbiter: + +When the MongoDB(®) Arbiter is enabled, the chart installs two StatefulSets: A StatefulSet with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes), and a StatefulSet with one MongoDB(®) arbiter node (it cannot be scaled). + +```text + ---------------- ---------------- ---------------- ------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | Arbiter | + | external svc | | external svc | | external svc | | svc | + ---------------- ---------------- ---------------- ------------- + | | | | + v v v v + ---------------- ---------------- ---------------- -------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | MongoDB® | + | Server | | Server | | Server | | Arbiter | + | Pod | | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- -------------- + primary secondary secondary +``` + +The PSA model is useful when the third Availability Zone cannot hold a full MongoDB(®) instance. The MongoDB(®) Arbiter as decision maker is lightweight and can run alongside other workloads. + +> NOTE: An update takes your MongoDB(®) replicaset offline if the Arbiter is enabled and the number of MongoDB(®) replicas is two. Helm applies updates to the StatefulSets for the MongoDB(®) instance and the Arbiter at the same time so you lose two out of three quorum votes. + +Without the Arbiter, the chart deploys a single statefulset with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes). + +```text + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | external svc | | external svc | | external svc | + ---------------- ---------------- ---------------- + | | | + v v v + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | Server | | Server | | Server | + | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- + primary secondary secondary +``` + +There are no services load balancing requests between MongoDB(®) nodes; instead, each node has an associated service to access them individually. + +> NOTE: Although the first replica is initially assigned the primary role, any of the secondary nodes can become the primary if it is down, or during upgrades. Do not make any assumption about what replica has the primary role. Instead, configure your MongoDB(®) client with the list of MongoDB(®) hostnames so it can dynamically choose the node to send requests. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | --------------------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override mongodb.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override mongodb.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `commonLabels` | Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### MongoDB(®) parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------- | +| `image.registry` | MongoDB(®) image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) image registry | `REPOSITORY_NAME/mongodb` | +| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.mTLS.enabled` | IF TLS support is enabled, require clients to provide certificates | `true` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `REGISTRY_NAME` | +| `tls.image.repository` | Init container TLS certs setup image repository | `REPOSITORY_NAME/nginx` | +| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `none` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | + +### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) + +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------- | +| `replicaSetConfigurationSettings.enabled` | Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings | `false` | +| `replicaSetConfigurationSettings.configuration` | run-time rs.conf settings | `{}` | +| `existingConfigmap` | Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | Existing ConfigMap with custom initdb scripts | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraFlags` | MongoDB(®) additional command line flags | `[]` | +| `extraEnvVars` | Extra environment variables to add to MongoDB(®) pods | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | + +### MongoDB(®) statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes | `2` | +| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | +| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `false` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction | `""` | + +### Traffic exposure parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | +| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | +| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | +| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | +| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `none` | +| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | +| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | + +### Network policy parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.name` | Name of the PVC and mounted volume | `datadir` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for MongoDB(®) Statefulset | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `[]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/mongodb` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | + +### RBAC parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `rbac.create` | Whether to create & use RBAC resources or not | `false` | +| `rbac.rules` | Custom rules to create following the role specification | `[]` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec` | Specify the full spec to use for Pod Security Policy | `{}` | + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | + +### Arbiter parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | +| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | +| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | +| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `none` | +| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `false` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `1` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | +| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Hidden Node parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hidden.hostAliases` | Add deployment host aliases | `[]` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | +| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | +| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | +| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | +| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | +| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `hidden.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `none` | +| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | +| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `false` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `1` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | +| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | +| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | +| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | +| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | +| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | +| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | +| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | +| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | +| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | +| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | +| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | +| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.command` | Override default container command (useful when using custom images) | `[]` | +| `metrics.args` | Override default container args (useful when using custom images) | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb/values.yaml) + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +- Specify them using the `initdbScripts` parameter as dict. +- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +#### Use LoadBalancer services + +Two alternatives are available to use *LoadBalancer* services: + +- Use random load balancer IP addresses using an *initContainer* that waits for the IP addresses to be ready and discovers them automatically. An example deployment configuration is shown below: + + ```text + architecture=replicaset + replicaCount=2 + externalAccess.enabled=true + externalAccess.service.type=LoadBalancer + externalAccess.service.port=27017 + externalAccess.autoDiscovery.enabled=true + serviceAccount.create=true + rbac.create=true + ``` + + > NOTE: This option requires creating RBAC rules on clusters where RBAC policies are enabled. + +- Manually specify the load balancer IP addresses. An example deployment configuration is shown below, with the placeholder EXTERNAL-IP-ADDRESS-X used in place of the load balancer IP addresses: + + ```text + architecture=replicaset + replicaCount=2 + externalAccess.enabled=true + externalAccess.service.type=LoadBalancer + externalAccess.service.port=27017 + externalAccess.service.loadBalancerIPs[0]='EXTERNAL-IP-ADDRESS-1' + externalAccess.service.loadBalancerIPs[1]='EXTERNAL-IP-ADDRESS-2' + ``` + + > NOTE: This option requires knowing the load balancer IP addresses, so that each MongoDB® node's advertised hostname is configured with it. + +#### Use NodePort services + +Manually specify the node ports to use. An example deployment configuration is shown below, with the placeholder NODE-PORT-X used in place of the node ports: + +```text +architecture=replicaset +replicaCount=2 +externalAccess.enabled=true +externalAccess.service.type=NodePort +externalAccess.service.nodePorts[0]='NODE-PORT-1' +externalAccess.service.nodePorts[1]='NODE-PORT-2' +``` + +> NOTE: This option requires knowing the node ports that will be exposed, so each MongoDB® node's advertised hostname is configured with it. + +The pod will try to get the external IP address of the node using the command `curl -s https://ipinfo.io/IP-ADDRESS` unless the `externalAccess.service.domain` parameter is set. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +externalAccess: + externalMaster: + enabled: true + host: external-mongodb-0.internal +``` + +:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Backup and restore MongoDB(R) deployments + +Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: + +- Back up the data from the source deployment and restore it in a new deployment using MongoDB® built-in backup/restore tools. +- Back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. + +#### Method 1: Backup and restore data using MongoDB® built-in tools + +This method involves the following steps: + +- Use the *mongodump* tool to create a snapshot of the data in the source cluster. +- Create a new MongoDB® Cluster deployment and forward the MongoDB® Cluster service port for the new deployment. +- Restore the data using the *mongorestore* tool to import the backup to the new cluster. + +> NOTE: Under this approach, it is important to create the new deployment on the destination cluster using the same credentials as the original deployment on the source cluster. + +#### Method 2: Back up and restore persistent data volumes + +This method involves copying the persistent data volumes for the MongoDB® nodes and reusing them in a new deployment with [Velero](https://velero.io/), an open source Kubernetes backup/restore tool. This method is only suitable when: + +- The Kubernetes provider is [supported by Velero](https://velero.io/docs/latest/supported-providers/). +- Both clusters are on the same Kubernetes provider, as this is a requirement of [Velero's native support for migrating persistent volumes](https://velero.io/docs/latest/migration-case/). +- The restored deployment on the destination cluster will have the same name, namespace, topology and credentials as the original deployment on the source cluster. + +This method involves the following steps: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring MongoDB® chart deployments on Kubernetes](https://docs.bitnami.com/tutorials/backup-restore-data-mongodb-kubernetes/), which covers both these approaches, for more information. + +### Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. A basic configuration example is shown below: + +```text + metrics: + enabled: true + prometheusRule: + enabled: true + rules: + - name: rule1 + rules: + - alert: HighRequestLatency + expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + for: 10m + labels: + severity: page + annotations: + summary: High request latency +``` + +### Enable SSL/TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +#### Generate the self-signed certificates via pre-install Helm hooks + +The `secrets-ca.yaml` file utilizes the Helm "pre-install" hook to ensure that the certificates will only be generated on chart install. + +The `genCA()` function will create a new self-signed x509 certificate authority. The `genSignedCert()` function creates an object with the certificate and key, which are base64-encoded and used in a YAML-like object. The `genSignedCert()` function is passed the CN, an empty IP list (the nil part), the validity and the CA created previously. + +A Kubernetes Secret is used to hold the signed certificate created above, and the `initContainer` sets up the rest. Using Helm's hook annotations ensures that the certificates will only be generated on chart install. This will prevent overriding the certificates if the chart is upgraded. + +#### Use your own CA + +To use your own CA, set `tls.caCert` and `tls.caKey` with appropriate base64 encoded data. The `secrets-ca.yaml` file will utilize this data to create the Secret. + +> NOTE: Currently, only RSA private keys are supported. + +#### Access the cluster + +To access the cluster, enable the init container which generates the MongoDB(®) server/client PEM key needed to access the cluster. Please be sure to include the `$my_hostname` section with your actual hostname, and the alternative hostnames section should contain the hostnames that should be allowed access to the MongoDB(®) replicaset. Additionally, if external access is enabled, the load balancer IP addresses are added to the alternative names list. + +> NOTE: You will be generating self-signed certificates for the MongoDB(®) deployment. The init container generates a new MongoDB(®) private key which will be used to create a Certificate Authority (CA) and the public certificate for the CA. The Certificate Signing Request will be created as well and signed using the private key of the CA previously created. Finally, the PEM bundle will be created using the private key and public certificate. This process will be repeated for each node in the cluster. + +#### Start the cluster + +After the certificates have been generated and made available to the containers at the correct mount points, the MongoDB(®) server will be started with TLS enabled. The options for the TLS mode will be one of `disabled`, `allowTLS`, `preferTLS`, or `requireTLS`. This value can be changed via the `MONGODB_EXTRA_FLAGS` field using the `tlsMode` parameter. The client should now be able to connect to the TLS-enabled cluster with the provided certificates. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: + +```console +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. + +### To 12.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + +- `strategyType` is replaced by `updateStrategy` +- `service.port` is renamed to `service.ports.mongodb` +- `service.nodePort` is renamed to `service.nodePorts.mongodb` +- `externalAccess.service.port` is renamed to `externalAccess.hidden.service.ports.mongodb` +- `rbac.role.rules` is renamed to `rbac.rules` +- `externalAccess.hidden.service.port` is renamed ot `externalAccess.hidden.service.ports.mongodb` +- `hidden.strategyType` is replaced by `hidden.updateStrategy` +- `metrics.serviceMonitor.relabellings` is renamed to `metrics.serviceMonitor.relabelings`(typo fixed) +- `metrics.serviceMonitor.additionalLabels` is renamed to `metrics.serviceMonitor.labels` + +Additionally also updates the MongoDB image dependency to it newest major, 5.0 + +### To 11.0.0 + +In this version, the mongodb-exporter bundled as part of this Helm chart was updated to a new version which, even it is not a major change, can contain breaking changes (from `0.11.X` to `0.30.X`). +Please visit the release notes from the upstream project at + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +### To 9.0.0 + +MongoDB(®) container images were updated to `4.4.x` and it can affect compatibility with older versions of MongoDB(®). Refer to the following guides to upgrade your applications: + +- [Standalone](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-standalone/) +- [Replica Set](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-replica-set/) + +### To 8.0.0 + +- Architecture used to configure MongoDB(®) as a replicaset was completely refactored. Now, both primary and secondary nodes are part of the same statefulset. +- Chart labels were adapted to follow the Helm charts best practices. +- This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Several parameters were renamed or disappeared in favor of new ones on this major version. These are the most important ones: + - `replicas` is renamed to `replicaCount`. + - Authentication parameters are reorganized under the `auth.*` parameter: + - `usePassword` is renamed to `auth.enabled`. + - `mongodbRootPassword`, `mongodbUsername`, `mongodbPassword`, `mongodbDatabase`, and `replicaSet.key` are now `auth.rootPassword`, `auth.username`, `auth.password`, `auth.database`, and `auth.replicaSetKey` respectively. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - Parameters prefixed with `mongodb` are renamed removing the prefix. E.g. `mongodbEnableIPv6` is renamed to `enableIPv6`. + - Parameters affecting Arbiter nodes are reorganized under the `arbiter.*` parameter. + +Consequences: + +- Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MongoDB(®) chart, and migrate your data by creating a backup of the database, and restoring it on the new release. + +### To 7.0.0 + +From this version, the way of setting the ingress rules has changed. Instead of using `ingress.paths` and `ingress.hosts` as separate objects, you should now define the rules as objects inside the `ingress.hosts` value, for example: + +```yaml +ingress: + hosts: + - name: mongodb.local + path: / +``` + +### To 6.0.0 + +From this version, `mongodbEnableIPv6` is set to `false` by default in order to work properly in most k8s clusters, if you want to use IPv6 support, you need to set this variable to `true` by adding `--set mongodbEnableIPv6=true` to your `helm` command. +You can find more information in the [`bitnami/mongodb` image README](https://github.com/bitnami/containers/tree/main/bitnami/mongodb#readme). + +### To 5.0.0 + +When enabling replicaset configuration, backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is `my-release`: + +```console +kubectl delete statefulset my-release-mongodb-arbiter my-release-mongodb-primary my-release-mongodb-secondary --cascade=false +``` + +### Add extra deployment options + +To add extra deployments (useful for advanced features like sidecars), use the `extraDeploy` property. + +In the example below, you can find how to use a example here for a [MongoDB replica set pod labeler sidecar](https://github.com/combor/k8s-mongo-labeler-sidecar) to identify the primary pod and dynamically label it as the primary node: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: Service + metadata: + name: mongodb-primary + namespace: default + labels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mongodb + spec: + type: NodePort + externalTrafficPolicy: Cluster + ports: + - name: mongodb-primary + port: 30001 + nodePort: 30001 + protocol: TCP + targetPort: mongodb + selector: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/name: mongodb + primary: "true" +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/kubernetes/common/mongodb/common/.helmignore b/kubernetes/common/mongodb/common/.helmignore new file mode 100644 index 0000000000..7c7c21d659 --- /dev/null +++ b/kubernetes/common/mongodb/common/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ diff --git a/kubernetes/common/mongodb/common/Chart.yaml b/kubernetes/common/mongodb/common/Chart.yaml new file mode 100644 index 0000000000..5a844bc7aa --- /dev/null +++ b/kubernetes/common/mongodb/common/Chart.yaml @@ -0,0 +1,26 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +# Please make sure that version and appVersion are always the same. +appVersion: 2.16.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: + - common + - helper + - template + - function + - bitnami +maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts +name: common +sources: + - https://github.com/bitnami/charts +type: library +version: 2.17.0 diff --git a/kubernetes/common/mongodb/common/README.md b/kubernetes/common/mongodb/common/README.md new file mode 100644 index 0000000000..0d01a1e064 --- /dev/null +++ b/kubernetes/common/mongodb/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/mongodb/common/templates/_affinities.tpl b/kubernetes/common/mongodb/common/templates/_affinities.tpl new file mode 100644 index 0000000000..e85b1df454 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_affinities.tpl @@ -0,0 +1,139 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_capabilities.tpl b/kubernetes/common/mongodb/common/templates/_capabilities.tpl new file mode 100644 index 0000000000..115674af87 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_capabilities.tpl @@ -0,0 +1,229 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_errors.tpl b/kubernetes/common/mongodb/common/templates/_errors.tpl new file mode 100644 index 0000000000..07ded6f64d --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_errors.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl new file mode 100644 index 0000000000..1bcb779df5 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_images.tpl @@ -0,0 +1,117 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/kubernetes/common/mongodb/common/templates/_ingress.tpl b/kubernetes/common/mongodb/common/templates/_ingress.tpl new file mode 100644 index 0000000000..efa5b85c72 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_ingress.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_labels.tpl b/kubernetes/common/mongodb/common/templates/_labels.tpl new file mode 100644 index 0000000000..d90a6cdc0c --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_names.tpl b/kubernetes/common/mongodb/common/templates/_names.tpl new file mode 100644 index 0000000000..a222924f14 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_resources.tpl b/kubernetes/common/mongodb/common/templates/_resources.tpl new file mode 100644 index 0000000000..5eb56caa39 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_secrets.tpl b/kubernetes/common/mongodb/common/templates/_secrets.tpl new file mode 100644 index 0000000000..84dbe38036 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_secrets.tpl @@ -0,0 +1,182 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_storage.tpl b/kubernetes/common/mongodb/common/templates/_storage.tpl new file mode 100644 index 0000000000..16405a0f8b --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_storage.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_tplvalues.tpl b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..a8ed7637ef --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl @@ -0,0 +1,38 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_utils.tpl b/kubernetes/common/mongodb/common/templates/_utils.tpl new file mode 100644 index 0000000000..1deefa1a26 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_warnings.tpl b/kubernetes/common/mongodb/common/templates/_warnings.tpl new file mode 100644 index 0000000000..0f763cd827 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_warnings.tpl @@ -0,0 +1,82 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers +{{- end }} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000000..eda9aada56 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000000..17d83a2fd4 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000000..bbb445b861 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl @@ -0,0 +1,113 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000000..ca3953f868 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000000..8c9aa570e2 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl @@ -0,0 +1,134 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_redis.tpl b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl new file mode 100644 index 0000000000..fc0d208dd4 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl @@ -0,0 +1,81 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_validations.tpl b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl new file mode 100644 index 0000000000..31ceda871f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/values.yaml b/kubernetes/common/mongodb/common/values.yaml new file mode 100644 index 0000000000..36b8aba71a --- /dev/null +++ b/kubernetes/common/mongodb/common/values.yaml @@ -0,0 +1,9 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## + +exampleValue: common-chart diff --git a/kubernetes/common/mongodb/templates/NOTES.txt b/kubernetes/common/mongodb/templates/NOTES.txt new file mode 100644 index 0000000000..89a693ea34 --- /dev/null +++ b/kubernetes/common/mongodb/templates/NOTES.txt @@ -0,0 +1,203 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + +{{- else }} + +{{- $replicaCount := int .Values.replicaCount }} +{{- $portNumber := int .Values.service.ports.mongodb }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := include "mongodb.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $mongoList := list }} +{{- range $e, $i := until $replicaCount }} +{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} +{{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer") }} + +#################################################################################### +### ERROR: You enabled external access to MongoDB® nodes without specifying ### +### the array of load balancer IPs for MongoDB® nodes. ### +#################################################################################### + +This deployment will be incomplete until you configure the array of load balancer +IPs for MongoDB® nodes. To complete your deployment follow the steps below: + +1. Wait for the load balancer IPs (it may take a few minutes for them to be available): + + kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb" -w + +2. Obtain the load balancer IPs and upgrade your chart: + + {{- range $e, $i := until $replicaCount }} + LOAD_BALANCER_IP_{{ add $i 1 }}="$(kubectl get svc --namespace {{ $releaseNamespace }} {{ $fullname }}-{{ $i }}-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" + {{- end }} + +3. Upgrade you chart: + + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/{{ .Chart.Name }} \ + --set mongodb.replicaCount={{ $replicaCount }} \ + --set mongodb.externalAccess.enabled=true \ + {{- range $i, $e := until $replicaCount }} + --set mongodb.externalAccess.service.loadBalancerIPs[{{ $i }}]=$LOAD_BALANCER_IP_{{ add $i 1 }} \ + {{- end }} + --set mongodb.externalAccess.service.type=LoadBalancer + +{{- else }} + +{{- if and (or (and (eq .Values.architecture "standalone") (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort"))) (and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled)) (not .Values.auth.enabled) }} +------------------------------------------------------------------------------- + WARNING + + By not enabling "mongodb.auth.enabled" you have most likely exposed the + MongoDB® service externally without any authentication mechanism. + + For security reasons, we strongly suggest that you enable authentiation + setting the "mongodb.auth.enabled" parameter to "true". + +------------------------------------------------------------------------------- +{{- end }} + +** Please be patient while the chart is being deployed ** + +MongoDB® can be accessed on the following DNS name(s) and ports from within your cluster: + +{{- if eq .Values.architecture "replicaset" }} +{{ join "\n" $mongoList | nindent 4 }} +{{- else }} + + {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{- if .Values.auth.enabled }} + +To get the root password run: + + export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.secretName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 -d) + +{{- end }} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList := splitList "," $customUsers }} +{{- range $index, $user := $customUsersList }} + +To get the password for "{{ $user }}" run: + + export MONGODB_PASSWORD=$(kubectl get secret --namespace {{ include "mongodb.namespace" $ }} {{ include "mongodb.secretName" $ }} -o jsonpath="{.data.mongodb-passwords}" | base64 -d | awk -F',' '{print ${{ add 1 $index }}}') + +{{- end }} +{{- end }} + +To connect to your database, create a MongoDB® client container: + + kubectl run --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }}-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image {{ template "mongodb.image" . }} --command -- bash + +Then, run the following command: + + {{- if eq .Values.architecture "replicaset" }} + mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- else }} + mongosh admin --host "{{ template "mongodb.service.nameOverride" . }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled }} + +To connect to your database nodes from outside, you need to add both primary and secondary nodes hostnames/IPs to your Mongo client. To obtain them, follow the instructions below: + +{{- if eq "NodePort" .Values.externalAccess.service.type }} +{{- if .Values.externalAccess.service.domain }} + + MongoDB® nodes domain: Use your provided hostname to reach MongoDB® nodes, {{ .Values.externalAccess.service.domain }} + +{{- else }} + + MongoDB® nodes domain: you can reach MongoDB® nodes on any of the K8s nodes external IPs. + + kubectl get nodes -o wide + +{{- end }} + + MongoDB® nodes port: You will have a different node port for each MongoDB® node. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -w' + + MongoDB® nodes domain: You will have a different external IP for each MongoDB® node. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + MongoDB® nodes port: {{ .Values.externalAccess.service.ports.mongodb }} + +{{- end }} + +{{- else if eq .Values.architecture "standalone" }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mongodb.service.nameOverride" . }}) + mongo --host $NODE_IP --port $NODE_PORT {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ template "mongodb.namespace" . }} -w {{ template "mongodb.service.nameOverride" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.service.nameOverride" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + mongosh --host $SERVICE_IP --port {{ $portNumber }} {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ template "mongodb.namespace" . }} svc/{{ template "mongodb.service.nameOverride" . }} {{ $portNumber }}:{{ $portNumber }} & + mongosh --host 127.0.0.1 {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the MongoDB® Prometheus metrics, get the MongoDB® Prometheus URL by running: + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "mongodb.fullname" .) }} {{ .Values.metrics.service.ports.metrics }}:{{ .Values.metrics.service.ports.metrics }} & + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.service.ports.metrics }}/metrics" + +Then, open the obtained URL in a browser. + +{{- end }} +{{- end }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.externalAccess.autoDiscovery.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.tls.image }} +{{- include "mongodb.validateValues" . }} +{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }} diff --git a/kubernetes/common/mongodb/templates/_helpers.tpl b/kubernetes/common/mongodb/templates/_helpers.tpl new file mode 100644 index 0000000000..b6bbb1f781 --- /dev/null +++ b/kubernetes/common/mongodb/templates/_helpers.tpl @@ -0,0 +1,514 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb.name" -}} +{{- include "common.names.name" . -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb.fullname" -}} +{{- include "common.names.fullname" . -}} +{{- end -}} + +{{/* +Create a default mongo service name which can be overridden. +*/}} +{{- define "mongodb.service.nameOverride" -}} + {{- if and .Values.service .Values.service.nameOverride -}} + {{- print .Values.service.nameOverride -}} + {{- else -}} + {{- if eq .Values.architecture "replicaset" -}} + {{- printf "%s-headless" (include "mongodb.fullname" .) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Create a default mongo arbiter service name which can be overridden. +*/}} +{{- define "mongodb.arbiter.service.nameOverride" -}} + {{- if and .Values.arbiter.service .Values.arbiter.service.nameOverride -}} + {{- print .Values.arbiter.service.nameOverride -}} + {{- else -}} + {{- printf "%s-arbiter-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Return the proper MongoDB® image name +*/}} +{{- define "mongodb.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "mongodb.metrics.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mongodb.volumePermissions.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container auto-discovery image) +*/}} +{{- define "mongodb.externalAccess.autoDiscovery.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the TLS Certs image) +*/}} +{{- define "mongodb.tls.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.tls.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mongodb.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "context" $) -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "mongodb.namespace" -}} + {{- if and .Values.global .Values.global.namespaceOverride -}} + {{- print .Values.global.namespaceOverride -}} + {{- else -}} + {{- print .Release.Namespace -}} + {{- end }} +{{- end -}} +{{- define "mongodb.serviceMonitor.namespace" -}} + {{- if .Values.metrics.serviceMonitor.namespace -}} + {{- print .Values.metrics.serviceMonitor.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} +{{- define "mongodb.prometheusRule.namespace" -}} + {{- if .Values.metrics.prometheusRule.namespace -}} + {{- print .Values.metrics.prometheusRule.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} + +{{/* +Returns the proper service account name depending if an explicit service account name is set +in the values file. If the name is not set it will default to either mongodb.fullname if serviceAccount.create +is true or default otherwise. +*/}} +{{- define "mongodb.serviceAccountName" -}} + {{- if .Values.serviceAccount.create -}} + {{- default (include "mongodb.fullname" .) (print .Values.serviceAccount.name) -}} + {{- else -}} + {{- default "default" (print .Values.serviceAccount.name) -}} + {{- end -}} +{{- end -}} + +{{/* +Return the list of custom users to create during the initialization (string format) +*/}} +{{- define "mongodb.customUsers" -}} + {{- $customUsers := list -}} + {{- if .Values.auth.username -}} + {{- $customUsers = append $customUsers .Values.auth.username }} + {{- end }} + {{- range .Values.auth.usernames }} + {{- $customUsers = append $customUsers . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customUsers)) -}} +{{- end -}} + +{{/* +Return the list of passwords for the custom users (string format) +*/}} +{{- define "mongodb.customPasswords" -}} + {{- $customPasswords := list -}} + {{- if .Values.auth.password -}} + {{- $customPasswords = append $customPasswords .Values.auth.password }} + {{- end }} + {{- range .Values.auth.passwords }} + {{- $customPasswords = append $customPasswords . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customPasswords)) -}} +{{- end -}} + +{{/* +Return the list of custom databases to create during the initialization (string format) +*/}} +{{- define "mongodb.customDatabases" -}} + {{- $customDatabases := list -}} + {{- if .Values.auth.database -}} + {{- $customDatabases = append $customDatabases .Values.auth.database }} + {{- end }} + {{- range .Values.auth.databases }} + {{- $customDatabases = append $customDatabases . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customDatabases)) -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration +*/}} +{{- define "mongodb.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® +*/}} +{{- define "mongodb.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MongoDB® credentials +*/}} +{{- define "mongodb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB® +*/}} +{{- define "mongodb.createSecret" -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mongodb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" .Values.initdbScriptsConfigMap -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Arbiter should be deployed +*/}} +{{- define "mongodb.arbiter.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Arbiter +*/}} +{{- define "mongodb.arbiter.configmapName" -}} +{{- if .Values.arbiter.existingConfigmap -}} + {{- printf "%s" (tpl .Values.arbiter.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-arbiter" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Arbiter +*/}} +{{- define "mongodb.arbiter.createConfigmap" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled .Values.arbiter.configuration (not .Values.arbiter.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Hidden should be deployed +*/}} +{{- define "mongodb.hidden.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.hidden.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Hidden +*/}} +{{- define "mongodb.hidden.configmapName" -}} +{{- if .Values.hidden.existingConfigmap -}} + {{- printf "%s" (tpl .Values.hidden.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-hidden" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Hidden +*/}} +{{- define "mongodb.hidden.createConfigmap" -}} +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.enabled .Values.hidden.configuration (not .Values.hidden.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mongodb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBs" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBsLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.replicaset.existingSecrets" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.hidden.existingSecrets" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + +{{/* Validate values of MongoDB® - must provide a valid architecture */}} +{{- define "mongodb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} +mongodb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replicaset". Please set a valid architecture (--set mongodb.architecture="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases are necessary +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBs" -}} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if or (and (empty $customUsers) (not (empty $customDatabases))) (and (not (empty $customUsers)) (empty $customDatabases)) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases must be provided to create + custom users and databases during 1st initialization. + Please set both of them (--set auth.usernames[0]="xxxx",auth.databases[0]="yyyy") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases arrays should have the same length +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBsLength" -}} +{{- if ne (len .Values.auth.usernames) (len .Values.auth.databases) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases arrays should have the same length +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - service type for external access +*/}} +{{- define "mongodb.validateValues.externalAccessServiceType" -}} +{{- if and (eq .Values.architecture "replicaset") (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} +mongodb: externalAccess.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than LoadBalancer IPs list +*/}} +{{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled ) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerListLength )) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs + Number of replicas and loadBalancerIPs array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than NodePort list +*/}} +{{- define "mongodb.validateValues.nodePortListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas and nodePorts array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - RBAC should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create ) }} +mongodb: rbac.create + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires specific RBAC resources. You can create them + by specifying "--set rbac.create=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of replicaset secrets must be the same than number of replicaset nodes. +*/}} +{{- define "mongodb.validateValues.replicaset.existingSecrets" -}} +{{- if and .Values.tls.enabled (eq .Values.architecture "replicaset") (not (empty .Values.tls.replicaset.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.replicaset.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.replicaCount)) }} +mongodb: tls.replicaset.existingSecrets + tls.replicaset.existingSecrets Number of secrets and number of replicaset nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of hidden secrets must be the same than number of hidden nodes. +*/}} +{{- define "mongodb.validateValues.hidden.existingSecrets" -}} +{{- if and .Values.tls.enabled (include "mongodb.hidden.enabled" .) (not (empty .Values.tls.hidden.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.hidden.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.hidden.replicaCount)) }} +mongodb: tls.hidden.existingSecrets + tls.hidden.existingSecrets Number of secrets and number of hidden nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults +*/}} +{{- define "mongodb.mongodb_exporter.uri" -}} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $mTlsEnabled := and $tlsEnabled .Values.tls.mTLS.enabled -}} + {{- $tlsArgs := "" -}} + {{- if $tlsEnabled -}} + {{- $tlsCertKeyFile := ternary "&tlsCertificateKeyFile=/certs/mongodb.pem" "" $mTlsEnabled -}} + {{- $tlsArgs = printf "tls=true%s&tlsCAFile=/certs/mongodb-ca-cert" $tlsCertKeyFile -}} + {{- end -}} + {{- if .Values.metrics.username -}} + {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- else -}} + {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "mongodb.createTlsSecret" -}} +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) (include "mongodb.autoGenerateCerts" .) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing MongoDB® TLS certificates +*/}} +{{- define "mongodb.tlsSecretName" -}} +{{- $secretName := .Values.tls.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-ca" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if certificates must be auto generated +*/}} +{{- define "mongodb.autoGenerateCerts" -}} +{{- $standalone := (eq .Values.architecture "standalone") | ternary (not .Values.tls.standalone.existingSecret) true -}} +{{- $replicaset := (eq .Values.architecture "replicaset") | ternary (empty .Values.tls.replicaset.existingSecrets) true -}} +{{- $arbiter := (eq (include "mongodb.arbiter.enabled" .) "true") | ternary (not .Values.tls.arbiter.existingSecret) true -}} +{{- $hidden := (eq (include "mongodb.hidden.enabled" .) "true") | ternary (empty .Values.tls.hidden.existingSecrets) true -}} +{{- if and $standalone $replicaset $arbiter $hidden -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Generate argument list for mongodb-exporter +reference: https://github.com/percona/mongodb_exporter/blob/main/REFERENCE.md +*/}} +{{- define "mongodb.exporterArgs" -}} +{{- with .Values.metrics.collector -}} +{{- ternary " --collect-all" "" .all -}} +{{- ternary " --collector.diagnosticdata" "" .diagnosticdata -}} +{{- ternary " --collector.replicasetstatus" "" .replicasetstatus -}} +{{- ternary " --collector.dbstats" "" .dbstats -}} +{{- ternary " --collector.topmetrics" "" .topmetrics -}} +{{- ternary " --collector.indexstats" "" .indexstats -}} +{{- ternary " --collector.collstats" "" .collstats -}} +{{- if .collstatsColls -}} +{{- " --mongodb.collstats-colls=" -}} +{{- join "," .collstatsColls -}} +{{- end -}} +{{- if .indexstatsColls -}} +{{- " --mongodb.indexstats-colls=" -}} +{{- join "," .indexstatsColls -}} +{{- end -}} +{{- $limitArg := print " --collector.collstats-limit=" .collstatsLimit -}} +{{- ne (print .collstatsLimit) "0" | ternary $limitArg "" -}} +{{- end -}} +{{- ternary " --compatible-mode" "" .Values.metrics.compatibleMode -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/templates/arbiter/configmap.yaml b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml new file mode 100644 index 0000000000..79fbfe5480 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml new file mode 100644 index 0000000000..003bebb2ad --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.arbiter.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-mongodb + port: {{ .Values.arbiter.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.arbiter.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/pdb.yaml b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml new file mode 100644 index 0000000000..37b5c198af --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.arbiter.pdb.minAvailable }} + minAvailable: {{ .Values.arbiter.pdb.minAvailable }} + {{- end }} + {{- if .Values.arbiter.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml new file mode 100644 index 0000000000..269863f3ec --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml @@ -0,0 +1,310 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} + podManagementPolicy: {{ .Values.arbiter.podManagementPolicy }} + {{- if .Values.arbiter.updateStrategy }} + updateStrategy: {{- toYaml .Values.arbiter.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: arbiter + {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations }} + annotations: + {{- if (include "mongodb.arbiter.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.arbiter.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.arbiter.schedulerName }} + schedulerName: {{ .Values.arbiter.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.arbiter.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "arbiter" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "arbiter" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.arbiter.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.arbiter.automountServiceAccountToken }} + {{- if .Values.arbiter.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.priorityClassName }} + priorityClassName: {{ .Values.arbiter.priorityClassName }} + {{- end }} + {{- if .Values.arbiter.runtimeClassName }} + runtimeClassName: {{ .Values.arbiter.runtimeClassName }} + {{- end }} + {{- if .Values.arbiter.podSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.arbiter.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.arbiter.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.arbiter.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.arbiter.service.nameOverride" . }} + {{- end }} + containers: + - name: mongodb-arbiter + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.arbiter.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.arbiter.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.arbiter.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.arbiter.service.nameOverride" . }}" + - name: MONGODB_REPLICA_SET_MODE + value: "arbiter" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.%s.$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) (include "mongodb.service.nameOverride" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_PORT_NUMBER + value: {{ .Values.arbiter.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.arbiter.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.arbiter.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.arbiter.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.arbiter.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.arbiter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- end }} + {{- if .Values.arbiter.resources }} + resources: {{- toYaml .Values.arbiter.resources | nindent 12 }} + {{- else if ne .Values.arbiter.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.arbiter.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.arbiter.configmapName" . }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.arbiter.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.arbiter.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml new file mode 100644 index 0000000000..79466e919e --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -0,0 +1,204 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 12 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 10 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if .Values.tls.enabled }} + initContainers: + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 16 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }} + {{- end }} + {{- end }} + containers: + - name: {{ include "mongodb.fullname" . }}-mongodump + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + {{- if .Values.auth.enabled }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + - name: MONGODB_SERVICE_NAME + value: {{ include "mongodb.service.nameOverride" . }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.backup.cronjob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} + {{- else }} + command: + - /bin/sh + - -c + - "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz" + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + {{- end }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} + securityContext: + {{- include "common.tplvalues.render" ( dict "value" ( omit .Values.backup.cronjob.containerSecurityContext "enabled" ) "context" $) | nindent 14 }} + {{- end }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "mongodb.fullname" . }}-mongodump + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/pvc.yaml b/kubernetes/common/mongodb/templates/backup/pvc.yaml new file mode 100644 index 0000000000..caefc05f30 --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/pvc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/common-scripts-cm.yaml b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml new file mode 100644 index 0000000000..bf5feadbf8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml @@ -0,0 +1,146 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + startup-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert--tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' + readiness-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + # Run the proper check depending on the version + [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + readiness_test='db.isMaster().ismaster || db.isMaster().secondary' + if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then + readiness_test='db.hello().isWritablePrimary || db.hello().secondary' + fi + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" + ping-mongodb.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" + {{- if .Values.tls.enabled }} + generate-certs.sh: | + #!/bin/bash + {{- if (include "mongodb.autoGenerateCerts" .) }} + additional_ips=() + additional_names=() + while getopts "i:n:s:" flag + do + case "${flag}" in + i) read -a additional_ips <<< ${OPTARG//,/ } ;; + n) read -a additional_names <<< ${OPTARG//,/ } ;; + s) svc=${OPTARG// /} ;; + \?) exit 1 ;; + esac + done + + my_hostname=$(hostname) + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf <>/certs/openssl.cnf <>/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + {{- else }} + {{- if eq .Values.architecture "standalone" }} + ID="0" + {{- else }} + if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then + ID="0" + elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then + ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}" + else + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + fi + {{- end }} + + {{- if .Values.tls.pemChainIncluded }} + #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. + cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + + #Use first certificate as leaf node and combine with key to store in pem file + cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + + #Use remaining intermediate certificates for ca.crt + echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" + + rm -rf /certs/xx* + {{- else }} + cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" + {{- end }} + + chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem + {{- end }} + {{- end }} diff --git a/kubernetes/common/mongodb/templates/configmap.yaml b/kubernetes/common/mongodb/templates/configmap.yaml new file mode 100644 index 0000000000..7d11e087ff --- /dev/null +++ b/kubernetes/common/mongodb/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/extra-list.yaml b/kubernetes/common/mongodb/templates/extra-list.yaml new file mode 100644 index 0000000000..2d35a580e8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/configmap.yaml b/kubernetes/common/mongodb/templates/hidden/configmap.yaml new file mode 100644 index 0000000000..a83087367e --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml new file mode 100644 index 0000000000..6cbbb40bfc --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.hidden.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.hidden.service.type }} + {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.hidden.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.hidden.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.hidden.service.type "LoadBalancer") (eq $root.Values.externalAccess.hidden.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.hidden.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.hidden.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.hidden.service.portName | quote }} + port: {{ $root.Values.externalAccess.hidden.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.hidden.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.hidden.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml new file mode 100644 index 0000000000..49b6845c7e --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.hidden.service.portName | quote }} + port: {{ .Values.hidden.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/pdb.yaml b/kubernetes/common/mongodb/templates/hidden/pdb.yaml new file mode 100644 index 0000000000..5420a93275 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" . )}} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hidden.pdb.minAvailable }} + minAvailable: {{ .Values.hidden.pdb.minAvailable }} + {{- end }} + {{- if .Values.hidden.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml new file mode 100644 index 0000000000..5b2a807d84 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -0,0 +1,601 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +{{- $replicaCount := int .Values.hidden.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} + replicas: {{ .Values.hidden.replicaCount }} + {{- if .Values.hidden.updateStrategy }} + updateStrategy: {{- toYaml .Values.hidden.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: hidden + {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations }} + annotations: + {{- if (include "mongodb.hidden.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.hidden.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hidden.schedulerName }} + schedulerName: {{ .Values.hidden.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.hidden.automountServiceAccountToken }} + {{- if .Values.hidden.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.hidden.nodeAffinityPreset.key "values" .Values.hidden.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.priorityClassName }} + priorityClassName: {{ .Values.hidden.priorityClassName }} + {{- end }} + {{- if .Values.hidden.runtimeClassName }} + runtimeClassName: {{ .Values.hidden.runtimeClassName }} + {{- end }} + {{- if .Values.hidden.podSecurityContext.enabled }} + securityContext: {{- omit .Values.hidden.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.hidden.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.hidden.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.hidden.initContainers (and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled) (and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.hidden.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} + find {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + {{- if .Values.externalAccess.hidden.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.hidden.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + command: + - /scripts/auto-discovery.sh + # We need the service account token for contacting the k8s API + automountServiceAccountToken: true + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.hidden.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.hidden.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.hidden.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup-hidden.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.hidden.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: K8S_HIDDEN_NODE_SERVICE_NAME + value: "{{ include "mongodb.fullname" . }}-hidden-headless" + - name: MONGODB_REPLICA_SET_MODE + value: "hidden" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_HIDDEN_NODE_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.hidden.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.hidden.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} + envFrom: + {{- if .Values.hidden.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.hidden.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.hidden.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.hidden.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.hidden.resources }} + resources: {{- toYaml .Values.hidden.resources | nindent 12 }} + {{- else if ne .Values.hidden.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.hidden.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + subPath: {{ .Values.hidden.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup-hidden.sh + subPath: setup-hidden.sh + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + {{- if .Values.hidden.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/redis-cluster/tmp + subPath: app-tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9216 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.hidden.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.hidden.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.hidden.persistence.enabled }} + - name: datadir + {{- if .Values.hidden.persistence.medium }} + emptyDir: + medium: {{ .Values.hidden.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.hidden.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.hidden.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.hidden.persistence.size | quote }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/initialization-configmap.yaml b/kubernetes/common/mongodb/templates/initialization-configmap.yaml new file mode 100644 index 0000000000..7086e0bf73 --- /dev/null +++ b/kubernetes/common/mongodb/templates/initialization-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/metrics-svc.yaml b/kubernetes/common/mongodb/templates/metrics-svc.yaml new file mode 100644 index 0000000000..f21401eef7 --- /dev/null +++ b/kubernetes/common/mongodb/templates/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + ports: + - port: {{ .Values.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + name: http-metrics + {{- if .Values.metrics.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml new file mode 100644 index 0000000000..f6d62ca867 --- /dev/null +++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotation }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.mongodb }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.mongodb }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPort }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: mongodb + {{- $ingressNSMatchLabels := coalesce .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.namespaceSelector }} + {{- if $ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := $ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- $ingressNSPodMatchLabels := coalesce .Values.networkPolicy.ingressNSPodMatchLabels .Values.networkPolicy.podSelector }} + {{- if $ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := $ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.customRules }} + {{- if $extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mongodb/templates/prometheusrule.yaml b/kubernetes/common/mongodb/templates/prometheusrule.yaml new file mode 100644 index 0000000000..00df349fcd --- /dev/null +++ b/kubernetes/common/mongodb/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.prometheusRule.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "mongodb.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/psp.yaml b/kubernetes/common/mongodb/templates/psp.yaml new file mode 100644 index 0000000000..61c452b48b --- /dev/null +++ b/kubernetes/common/mongodb/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml new file mode 100644 index 0000000000..3bc9900597 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.service.type }} + {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} + {{- end }} + {{- if and (eq $root.Values.externalAccess.service.type "LoadBalancer") $root.Values.externalAccess.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.service.type "LoadBalancer") (eq $root.Values.externalAccess.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.service.portName | quote }} + port: {{ $root.Values.externalAccess.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml new file mode 100644 index 0000000000..bf7a3d91e0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.commonAnnotations .Values.service.headless.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/pdb.yaml b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml new file mode 100644 index 0000000000..5bbd31074e --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml new file mode 100644 index 0000000000..00b2502092 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml @@ -0,0 +1,317 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + auto-discovery.sh: |- + #!/bin/bash + + SVC_NAME="${MY_POD_NAME}-external" + + # Auxiliary functions + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" + done + return $return_value + } + k8s_svc_lb_ip() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + + if [[ -n ${service_ip} ]]; then + echo "${service_ip}" + else + echo "${service_hostname}" + fi + } + k8s_svc_lb_ip_ready() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] + } + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" + {{- end }} + setup.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + . /opt/bitnami/scripts/libfs.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + {{- if .Values.externalAccess.enabled }} + {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + info "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + info "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + + # Check for existing replica set in case there is no data in the PVC + # This is for cases where the PVC is lost or for MongoDB caches without + # persistence + current_primary="" + if is_dir_empty "${MONGODB_DATA_DIR}/db"; then + info "Data dir empty, checking if the replica set already exists" + {{- $replicaCount := int .Values.replicaCount }} + {{- $portNumber := int .Values.service.ports.mongodb }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} + {{- $mongoList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} + {{- end }} + + {{- if .Values.externalAccess.externalMaster.enabled }} + current_primary={{ printf "%s:%d" (.Values.externalAccess.externalMaster.host) ( int .Values.externalAccess.externalMaster.port) }} + {{- else }} + current_primary=$(mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }}{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} --eval 'db.runCommand("ismaster")' | awk -F\' '/primary/ {print $2}') + {{- end }} + if ! is_empty_value "$current_primary"; then + info "Detected existing primary: ${current_primary}" + fi + fi + + if ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" == "$current_primary" ]]; then + info "Advertised name matches current primary, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + elif ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" != "$current_primary" ]]; then + info "Current primary is different from this node. Configuring the node as replica of ${current_primary}" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_HOST="${current_primary%:*}" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="${current_primary#*:}" + export MONGODB_SET_SECONDARY_OK="yes" + elif [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then + info "Pod name matches initial primary pod name, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + else + info "Pod name doesn't match initial primary pod name, configuring node as a secondary" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + if [[ "$MONGODB_REPLICA_SET_MODE" == "secondary" ]]; then + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + fi + + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + setup-hidden.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.hidden.enabled }} + {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.hidden.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + echo "Configuring node as a hidden node" + export MONGODB_REPLICA_SET_MODE="hidden" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + {{- if .Values.replicaSetConfigurationSettings.enabled }} + replicaSetConfigurationSettings.sh: |- + #!/bin/bash + # This script to be called when pod starts. + # This script sets rs settings which can not be applied via conf file + + function logger () + #$1 is the line to be logged + { + echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 + } + + SLEEP_PERIOD=10 + + {{- if and .Values.auth.enabled .Values.auth.rootPassword }} + usernameAndPassword="{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} -u ${MONGODB_ROOT_USER} -p ${MONGODB_ROOT_PASSWORD}" + {{- else }} + usernameAndPassword="" + {{- end }} + + # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy + declare -A desiredRsConf + {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} + {{ printf "desiredRsConf[%s]='%v'" $setting $value }} + {{ end }} + + rsConfWriteAttempts=0 + rs_conf_configured_ok=unknown + + while [[ "${rs_conf_configured_ok}" != "true" ]]; do + + # give the rs setup a chance to succeed before attempting to read or configure + sleep ${SLEEP_PERIOD} + + counter=0 + while ! mongosh ${usernameAndPassword} --eval 'rs.conf()'; do + counter=$((${counter} +1)) + logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" + sleep ${SLEEP_PERIOD} + done + counter=$((${counter} +1)) + logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" + + # read rs.conf again and store it. settings format is '"" : ,' + currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') + + desiredEqualsactual=unknown + settingsToConfigure="" + for key in ${!desiredRsConf[@]}; do + value=${desiredRsConf[$key]} + if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then + if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then + memberIndex=$(echo $key | grep -o -E '[0-9]+') + nodeConfigKey=${key#*.} + settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; " + else + # General rs settings + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + fi + desiredEqualsactual=false + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + done + + if [[ "${desiredEqualsactual}" != "false" ]]; then + logger "replicaSetConfigurationSettings match the settings of the currently running rs" + desiredEqualsactual=true + rs_conf_configured_ok=true + logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" + exit + fi + + # apply the settings only if this member is currently the mongo replicaset PRIMARY + # it might take a little time before any pod is PRIMARY + isMaster=unknown + if ! mongosh ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster: true"; then + isMaster=false + logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" + else + isMaster=true + logger "This node is PRIMARY" + fi + + if [[ "${isMaster}" == "true" ]]; then + logger "This node is currently PRIMARY - will apply rs.conf settings" + + # avoiding tricky string substitution with single quotes by making the eval string a set of vars + rsconf="cfg = rs.conf();" + rsreconf="rs.reconfig(cfg);" + rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" + + mongosh ${usernameAndPassword} --eval "${rsCommand}" + if [ $? -ne 0 ]; then + logger "Failed to apply mongodb cfg.settings configuration" + else + logger "mongodb replicaset cfg.settings configuration applied" + logger "Will check rs conf" + # don't exit just yet - the settings will be checked in the next loop + fi + rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) + fi + done + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml new file mode 100644 index 0000000000..55158e8fb0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -0,0 +1,606 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.service.nameOverride" . }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + # We need the service account token for contacting the k8s API + automountServiceAccountToken: true + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup.sh + subPath: setup.sh + {{ if .Values.replicaSetConfigurationSettings.enabled }} + - name: scripts + mountPath: /scripts/replicaSetConfigurationSettings.sh + subPath: replicaSetConfigurationSettings.sh + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/svc.yaml b/kubernetes/common/mongodb/templates/replicaset/svc.yaml new file mode 100644 index 0000000000..d95504376a --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/svc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} + +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or $root.Values.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - name: {{ $root.Values.service.portName | quote }} + port: {{ $root.Values.service.ports.mongodb }} + targetPort: mongodb + {{- if $root.Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/role.yaml b/kubernetes/common/mongodb/templates/role.yaml new file mode 100644 index 0000000000..b37d192cb0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/role.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.rbac.rules }} +{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} +{{- end -}} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/rolebinding.yaml b/kubernetes/common/mongodb/templates/rolebinding.yaml new file mode 100644 index 0000000000..c6a76e6455 --- /dev/null +++ b/kubernetes/common/mongodb/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +roleRef: + kind: Role + name: {{ include "mongodb.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets-ca.yaml b/kubernetes/common/mongodb/templates/secrets-ca.yaml new file mode 100644 index 0000000000..e1387ae30f --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets-ca.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createTlsSecret" .) }} +{{- $secretName := printf "%s" (include "mongodb.tlsSecretName" .) }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $cn := printf "%s.%s.svc.%s" $fullname .Release.Namespace $clusterDomain }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.caCert .Values.tls.caKey (not .Values.tls.autoGenerated) }} + {{- $ca := buildCustomCert (required "A valid .Values.tls.caCert is required!" .Values.tls.caCert) (required "A valid .Values.tls.caKey is required!" .Values.tls.caKey) }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + {{- else }} + {{- $ca := genCA "myMongo-ca" 3650 }} + mongodb-ca-cert: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-cert" "defaultValue" $ca.Cert "context" $) }} + mongodb-ca-key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-key" "defaultValue" $ca.Key "context" $) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets.yaml b/kubernetes/common/mongodb/templates/secrets.yaml new file mode 100644 index 0000000000..004f2f3622 --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets.yaml @@ -0,0 +1,128 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.auth.enabled }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $port := .Values.service.ports.mongodb }} +{{- $host := include "mongodb.service.nameOverride" . }} +{{- $hostForURI := printf "%s:%s" (include "mongodb.service.nameOverride" .) (print $port) }} +{{- if (eq .Values.architecture "replicaset") }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- $mongoOnlyHostList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoOnlyHostList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s" $fullname $i $fullname $releaseNamespace $clusterDomain) }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%s" $fullname $i $fullname $releaseNamespace $clusterDomain (print $port)) }} + {{- end }} + {{- $host = (join "," $mongoOnlyHostList) }} + {{- $hostForURI = (join "," $mongoList) }} +{{- end }} + +{{/* Root user section. */}} +{{- $rootPassword := include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-root-password" "providedValues" (list "auth.rootPassword" ) "context" $) | trimAll "\"" | b64dec }} + +{{/* Custom user section. This chart allows creating multiple users */}} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +{{- $customPasswords := include "mongodb.customPasswords" . }} +{{- $passwords := "" }} +{{- $passwordList := list -}} +{{- $customUsersList := list }} +{{- $customDatabasesList := list }} +{{- $customPasswordsList := list }} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList = splitList "," $customUsers }} +{{- $customDatabasesList = splitList "," $customDatabases }} +{{- if not (empty $customPasswords) }} +{{- $passwordList = $customPasswords }} +{{- $customPasswordsList = splitList "," $customPasswords }} +{{- else }} +{{- range $customUsersList }} +{{- $customPasswordsList = append $customPasswordsList (randAlphaNum 10) }} +{{- end -}} +{{- $passwordList = (join "," $customPasswordsList) }} +{{- end }} +{{- $passwords = include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-passwords" "providedValues" (list "mongodbPasswords") "context" (set (deepCopy $) "Values" (dict "mongodbPasswords" $passwordList))) | trimAll "\"" | b64dec }} +{{- end }} + +{{- if (include "mongodb.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + mongodb-root-password: {{ print $rootPassword | b64enc | quote }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + mongodb-passwords: {{ print $passwords | b64enc | quote }} + {{- end }} + {{- if .Values.metrics.username }} + mongodb-metrics-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-metrics-password" "providedValues" (list "metrics.password" ) "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replicaset" }} + mongodb-replica-set-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-replica-set-key" "providedValues" (list "auth.replicaSetKey" ) "context" $) }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-root + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print .Values.auth.rootUser | b64enc | quote }} + password: {{ print $rootPassword | b64enc | quote }} + database: {{ print "admin" | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/admin" .Values.auth.rootUser $rootPassword $hostForURI | b64enc | quote }} +{{- range $e, $i := until (len $customUsersList) }} +--- +{{- $currentSecret := printf "%s-svcbind-%d" (include "common.names.fullname" $) $i }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $currentSecret }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + {{- $currentUser := index $customUsersList $i }} + {{- $currentDatabase := last $customDatabasesList }} + {{- if gt (len $customDatabasesList) $i }} + {{- $currentDatabase = index $customDatabasesList $i }} + {{- end }} + {{- $currentProvidedPassword := index $customPasswordsList $i }} + {{- $currentPassword := include "common.secrets.lookup" (dict "secret" $currentSecret "key" "password" "defaultValue" $currentProvidedPassword "context" $) | b64dec }} + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print $currentUser | b64enc | quote }} + password: {{ print $currentPassword | b64enc | quote }} + database: {{ print $currentDatabase | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/%s" $currentUser $currentPassword $hostForURI $currentDatabase | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/serviceaccount.yaml b/kubernetes/common/mongodb/templates/serviceaccount.yaml new file mode 100644 index 0000000000..6dd53ab83e --- /dev/null +++ b/kubernetes/common/mongodb/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +secrets: + - name: {{ template "mongodb.fullname" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/servicemonitor.yaml b/kubernetes/common/mongodb/templates/servicemonitor.yaml new file mode 100644 index 0000000000..8273e4b626 --- /dev/null +++ b/kubernetes/common/mongodb/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.serviceMonitor.namespace" . }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - "{{ include "mongodb.namespace" . }}" +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml new file mode 100644 index 0000000000..29dd406bca --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -0,0 +1,520 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: {{ if .Values.useStatefulSet }}{{ include "common.capabilities.statefulset.apiVersion" . }}{{- else }}{{ include "common.capabilities.deployment.apiVersion" . }}{{- end }} +kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ gt (.Values.replicaCount | int) 1 | ternary 1 .Values.replicaCount }} + {{- if .Values.useStatefulSet }} + serviceName: {{ include "mongodb.service.nameOverride" . }} + {{- end }} + {{- if .Values.updateStrategy}} + {{- if .Values.useStatefulSet }} + updateStrategy: + {{- else }} + strategy: + {{- end }} + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end}} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- toYaml .Values.tls.securityContext | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.persistence.existingClaim }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} + {{- else if not .Values.useStatefulSet }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ template "mongodb.fullname" . }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/pvc.yaml b/kubernetes/common/mongodb/templates/standalone/pvc.yaml new file mode 100644 index 0000000000..d59bad918f --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/pvc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (not (eq .Values.architecture "replicaset")) (not .Values.useStatefulSet) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + annotations: + {{- if .Values.persistence.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.persistence.resourcePolicy | quote }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/svc.yaml b/kubernetes/common/mongodb/templates/standalone/svc.yaml new file mode 100644 index 0000000000..5d0d03f3fb --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/svc.yaml @@ -0,0 +1,62 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if (eq .Values.service.type "LoadBalancer") }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) .Values.service.nodePorts.mongodb }} + nodePort: {{ .Values.service.nodePorts.mongodb }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/values.schema.json b/kubernetes/common/mongodb/values.schema.json new file mode 100644 index 0000000000..3eb6a64ce7 --- /dev/null +++ b/kubernetes/common/mongodb/values.schema.json @@ -0,0 +1,232 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MongoDB® architecture", + "form": true, + "description": "Allowed values: `standalone` or `replicaset`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Authentication", + "form": true + }, + "rootUser": { + "type": "string", + "title": "MongoDB® admin user", + "form": true, + "description": "Name of the admin user. Default is root" + }, + "rootPassword": { + "type": "string", + "title": "MongoDB® admin password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "database": { + "type": "string", + "title": "MongoDB® custom database", + "description": "Name of the custom database to be created during the 1st initialization of MongoDB®", + "form": true + }, + "username": { + "type": "string", + "title": "MongoDB® custom user", + "description": "Name of the custom user to be created during the 1st initialization of MongoDB®. This user only has permissions on the MongoDB® custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MongoDB® custom user", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "replicaSetKey": { + "type": "string", + "title": "Key used for replica set authentication", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of MongoDB® replicas", + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "configuration": { + "type": "string", + "title": "MongoDB® Custom Configuration", + "form": true, + "render": "textArea" + }, + "arbiter": { + "type": "object", + "title": "Arbiter configuration", + "form": true, + "properties": { + "configuration": { + "type": "string", + "title": "Arbiter Custom Configuration", + "form": true, + "render": "textArea", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "networkPolicy": { + "type": "object", + "title": "Network policy configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable network policy", + "description": "Enable network policy using Kubernetes native NP", + "hidden": { + "value": false, + "path": "networkPolicy/enabled" + } + }, + "ingress": { + "type": "object", + "properties": { + "namespaceSelector": { + "type": "object", + "title": "Namespace selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/namespaceSelector" + } + }, + "podSelector": { + "type": "object", + "title": "Pod selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/podSelector" + } + }, + "customRules": { + "type": "array", + "title": "Custom rules for ingress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/ingress/customRules" + } + } + } + }, + "egress": { + "type": "object", + "properties": { + "customRules": { + "type": "array", + "title": "Custom rules for egress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/egress/customRules" + } + } + } + } + } + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "hidden": { + "value": false, + "path": "persistence/enabled" + }, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml new file mode 100644 index 0000000000..8d995ce973 --- /dev/null +++ b/kubernetes/common/mongodb/values.yaml @@ -0,0 +1,2415 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + namespaceOverride: "" +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## extraDeploy: +## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar +## for dynamically discovering the mongodb primary pod +## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) +## - apiVersion: v1 +## kind: Service +## metadata: +## name: mongodb-primary +## namespace: the-mongodb-namespace +## labels: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/managed-by: Helm +## app.kubernetes.io/name: mongodb +## spec: +## type: NodePort +## externalTrafficPolicy: Cluster +## ports: +## - name: mongodb +## port: 30001 +## nodePort: 30001 +## protocol: TCP +## targetPort: mongodb +## selector: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/name: mongodb +## primary: "true" +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used +## i.e. topologyKey: topology.kubernetes.io/zone +## +topologyKey: "" +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +## @section MongoDB(®) parameters +## + +## Bitnami MongoDB(®) image +## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/mongodb + tag: 7.0.5-debian-12-r5 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run + ## + rootPassword: "" + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + ## + username: "" + password: "" + database: "" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "" +tls: + ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes + ## + enabled: false + mTLS: + ## @param tls.mTLS.enabled IF TLS support is enabled, require clients to provide certificates + enabled: true + ## @param tls.autoGenerated Generate a custom CA and self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + ## Add Custom CA certificate + ## @param tls.caCert Custom CA certificated (base64 encoded) + ## @param tls.caKey CA certificate private key (base64 encoded) + ## + caCert: "" + caKey: "" + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false + standalone: + ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + replicaset: + ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + hidden: + ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + arbiter: + ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + ## Bitnami Nginx image + ## @param tls.image.registry [default: REGISTRY_NAME] Init container TLS certs setup image registry + ## @param tls.image.repository [default: REPOSITORY_NAME/nginx] Init container TLS certs setup image repository + ## @skip tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.digest Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy + ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array + ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.25.4-debian-12-r1 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## e.g: + ## extraDnsNames + ## "DNS.6": "$my_host" + ## "DNS.7": "$test" + ## + extraDnsNames: [] + ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) + ## + mode: requireTLS + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init Container securityContext + ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ + ## @param tls.securityContext Init container generate-tls-cert Security context + ## + securityContext: {} + ## Example: + ## allowPrivilegeEscalation: false + ## capabilities: + ## drop: ["ALL"] + ## +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaSetName: rs0 +## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## Ignored when externalAccess.enabled=true +## +replicaSetHostnames: true +## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-ipv6 +## +enableIPv6: false +## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-directoryperdb +## +directoryPerDB: false +## MongoDB(®) System Log configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#configuring-system-log-verbosity-level +## @param systemLogVerbosity MongoDB(®) system log verbosity level +## @param disableSystemLog Switch to enable/disable MongoDB(®) system log +## +systemLogVerbosity: 0 +disableSystemLog: false +## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution +## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ +## +disableJavascript: false +## @param enableJournal Switch to enable/disable MongoDB(®) Journaling +## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled +## +enableJournal: true +## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes +## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ +## Example: +## configuration: |- +## # where and how to store data. +## storage: +## dbPath: /bitnami/mongodb/data/db +## journal: +## enabled: true +## directoryPerDB: false +## # where to write logging data +## systemLog: +## destination: file +## quiet: false +## logAppend: true +## logRotate: reopen +## path: /opt/bitnami/mongodb/logs/mongodb.log +## verbosity: 0 +## # network interfaces +## net: +## port: 27017 +## unixDomainSocket: +## enabled: true +## pathPrefix: /opt/bitnami/mongodb/tmp +## ipv6: false +## bindIpAll: true +## # replica set options +## #replication: +## #replSetName: replicaset +## #enableMajorityReadConcern: true +## # process management options +## processManagement: +## fork: false +## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid +## # set parameter options +## setParameter: +## enableLocalhostAuthBypass: true +## # security options +## security: +## authorization: disabled +## #keyFile: /opt/bitnami/mongodb/conf/keyfile +## +configuration: "" +## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) +## If enabled, these are applied by a script which is called within setup.sh +## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields +## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings +## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings +## +replicaSetConfigurationSettings: + enabled: false + configuration: {} +## Custom configurations for individual replica set members. +## Use the prefix 'members[X].' to apply settings to the member X of the replica set. +## Example: 'members[0].priority: 3' sets the priority of the first replica set member to 3. +## The index X in 'members[X]' corresponds to the member's position in the replica set. +## members[0].priority: 3 +## chainingAllowed : false +## heartbeatTimeoutSecs : 10 +## heartbeatIntervalMillis : 2000 +## electionTimeoutMillis : 10000 +## catchUpTimeoutMillis : 30000 +## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes +## NOTE: When it's set the arbiter.configuration parameter is ignored +## +existingConfigmap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts +## +initdbScriptsConfigMap: "" +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraFlags MongoDB(®) additional command line flags +## Example: +## extraFlags: +## - "--wiredTigerCacheSizeGB=2" +## +extraFlags: [] +## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @section MongoDB(®) statefulset parameters +## + +## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template +## +annotations: {} +## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template +## +labels: {} +## @param replicaCount Number of MongoDB(®) nodes +## When `mongodb.architecture=replicaset`, the number of replicas is taken in account +## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) +## +replicaCount: 2 +## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, +## this parameter will be applied on a deployment object. In other case it will be applied on a statefulset object +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## @param podManagementPolicy Pod management policy for MongoDB(®) +## Should be initialized one by one when building the replicaset for the first time +## +podManagementPolicy: OrderedReady +## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity MongoDB(®) Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector MongoDB(®) Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations MongoDB(®) Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] +## @param lifecycleHooks LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param terminationGracePeriodSeconds MongoDB(®) Termination Grace Period +## +terminationGracePeriodSeconds: "" +## @param podLabels MongoDB(®) pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations MongoDB(®) Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## MongoDB(®) pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) +## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## MongoDB(®) containers' Security Context (main and metrics container). +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## MongoDB(®) containers' resource requests and limits. +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "none" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## @param containerPorts.mongodb MongoDB(®) container port +## +containerPorts: + mongodb: 27017 +## MongoDB(®) pods' liveness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## MongoDB(®) pods' readiness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Slow starting containers can be protected through startup probes +## Startup probes are available in Kubernetes version 1.16 and above +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 30 +## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers +## Ignored when livenessProbe.enabled=true +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers +## Ignored when readinessProbe.enabled=true +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for MongoDB(®) containers +## Ignored when startupProbe.enabled=true +## +customStartupProbe: {} +## @param initContainers Add additional init containers for the hidden node pod(s) +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod +## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose +## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example +## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods +## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work +## +## - name: mongo-labeler +## image: korenlev/k8s-mongo-labeler-sidecar +## imagePullPolicy: Always +## env: +## - name: LABEL_SELECTOR +## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" +## - name: NAMESPACE +## value: "the-mongodb-namespace" +## - name: DEBUG +## value: "true" +## +sidecars: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) +## Examples: +## extraVolumeMounts: +## - name: extras +## mountPath: /usr/share/extras +## readOnly: true +## +extraVolumeMounts: [] +## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset +## extraVolumes: +## - name: extras +## emptyDir: {} +## +extraVolumes: [] +## MongoDB(®) Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) + ## + create: false + ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction + ## + maxUnavailable: "" +## @section Traffic exposure parameters +## + +## Service parameters +## +service: + ## @param service.nameOverride MongoDB(®) service name + ## + nameOverride: "" + ## @param service.type Kubernetes Service type (only for standalone architecture) + ## + type: ClusterIP + ## @param service.portName MongoDB(®) service port name (only for standalone architecture) + ## + portName: mongodb + ## @param service.ports.mongodb MongoDB(®) service port. + ## + ports: + mongodb: 27017 + ## @param service.nodePorts.mongodb Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mongodb: "" + ## @param service.clusterIP MongoDB(®) service cluster IP (only for standalone architecture) + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.externalIPs Specify the externalIP value ClusterIP service type (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerClass loadBalancerClass for MongoDB(®) Service (only for standalone architecture) + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## @param service.externalTrafficPolicy service external traffic policy (only for standalone architecture) + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## External Access to MongoDB(®) nodes configuration +## +externalAccess: + ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) + ## + enabled: false + ## External IPs auto-discovery configuration + ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API + ## Note: RBAC might be required + ## + autoDiscovery: + ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API + ## + enabled: false + ## Bitnami Kubectl image + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository [default: REPOSITORY_NAME/kubectl] Init container auto-discovery image repository + ## @skip externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.digest Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy + ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.29.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.autoDiscovery.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param externalAccess.autoDiscovery.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. + ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping + ## @param externalAccess.externalMaster.host External master host to bootstrap from + ## @param externalAccess.externalMaster.port Port for MongoDB(®) service external master host + ## + externalMaster: + enabled: false + host: "" + port: 27017 + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## External Access to MongoDB(®) Hidden nodes configuration + ## + hidden: + ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes + ## + enabled: false + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer + ## + type: LoadBalancer + ## @param externalAccess.hidden.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.hidden.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.hidden.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.hidden.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.hidden.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.hidden.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## @section Network policy parameters +## + +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + ## @param persistence.name Name of the PVC and mounted volume + ## + name: "datadir" + ## @param persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires persistence.enabled: false + ## + medium: "" + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## Ignored when mongodb.architecture=replicaset + ## + existingClaim: "" + ## @param persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for MongoDB(®) data volume + ## + size: 8Gi + ## @param persistence.annotations PVC annotations + ## + annotations: {} + ## @param persistence.mountPath Path to mount the volume at + ## MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param persistence.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate + ## + dataSource: {} +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for MongoDB(®) Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +## +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + ## + enabled: false + ## Fine tuning cronjob's config + ## + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + ## + schedule: "@daily" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + ## + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + ## + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + ## + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + ## + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ## + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + ## + restartPolicy: OnFailure + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param backup.cronjob.command Set backup container's command to run + ## + command: [] + ## @param backup.cronjob.labels Set the cronjob labels + ## + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + ## + annotations: {} + ## Backup container's + ## + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/mongodb + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} +## @section RBAC parameters +## + +## ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods + ## + create: true + ## @param serviceAccount.name Name of the created serviceAccount + ## If not set and create is true, a name is generated using the mongodb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## binding MongoDB(®) ServiceAccount to a role + ## that allows MongoDB(®) pods querying the K8s API + ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery + ## + create: false + ## @param rbac.rules Custom rules to create following the role specification + ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## - watch + ## - update + ## + rules: [] +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation + ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` + ## + allowPrivilegeEscalation: false + ## @param podSecurityPolicy.privileged Allow privileged + ## + privileged: false + ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## Defining a spec ignores the above values. + ## + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: false + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## +## @section Volume Permissions parameters +## +## Init Container parameters +## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component +## values from the securityContext section of the component +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r15 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container + ## + securityContext: + seLinuxOptions: null + runAsUser: 0 +## @section Arbiter parameters +## +arbiter: + ## @param arbiter.enabled Enable deploying the arbiter + ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ + ## + enabled: true + ## @param arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param arbiter.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param arbiter.configuration Arbiter configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration + ## NOTE: When it's set the arbiter.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param arbiter.command Override default container command (useful when using custom images) + ## @param arbiter.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param arbiter.extraFlags Arbiter additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset + ## + annotations: {} + ## @param arbiter.labels Annotations to be added to the Arbiter statefulset + ## + labels: {} + ## @param arbiter.topologySpreadConstraints MongoDB(®) Spread Constraints for arbiter Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param arbiter.lifecycleHooks LifecycleHook for the Arbiter container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param arbiter.terminationGracePeriodSeconds Arbiter Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param arbiter.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param arbiter.podManagementPolicy Pod management policy for MongoDB(®) + ## Should be initialized one by one when building the replicaset for the first time + ## + podManagementPolicy: OrderedReady + ## @param arbiter.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param arbiter.affinity Arbiter Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param arbiter.tolerations Arbiter Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param arbiter.podLabels Arbiter pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param arbiter.podAnnotations Arbiter Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Arbiter pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) + ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Arbiter containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Arbiter containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Arbiter pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.livenessProbe.enabled Enable livenessProbe + ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.readinessProbe.enabled Enable readinessProbe + ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' startup probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.startupProbe.enabled Enable startupProbe + ## @param arbiter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param arbiter.startupProbe.periodSeconds Period seconds for startupProbe + ## @param arbiter.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param arbiter.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param arbiter.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers + ## Ignored when arbiter.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers + ## Ignored when arbiter.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param arbiter.customStartupProbe Override default startup probe for Arbiter containers + ## Ignored when arbiter.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Arbiter Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) + ## + create: false + ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled + ## + minAvailable: 1 + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable + ## + maxUnavailable: "" + ## MongoDB(®) Arbiter service parameters + ## + service: + ## @param arbiter.service.nameOverride The arbiter service name + ## + nameOverride: "" + ## @param arbiter.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param arbiter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param arbiter.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param arbiter.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Hidden Node parameters +## +hidden: + ## @param hidden.enabled Enable deploying the hidden nodes + ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ + ## + enabled: false + ## @param hidden.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param hidden.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param hidden.configuration Hidden node configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration + ## NOTE: When it's set the hidden.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param hidden.command Override default container command (useful when using custom images) + ## @param hidden.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param hidden.extraFlags Hidden node additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param hidden.annotations Additional labels to be added to thehidden node statefulset + ## + annotations: {} + ## @param hidden.labels Annotations to be added to the hidden node statefulset + ## + labels: {} + ## @param hidden.topologySpreadConstraints MongoDB(®) Spread Constraints for hidden Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param hidden.lifecycleHooks LifecycleHook for the Hidden container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## + replicaCount: 1 + ## @param hidden.terminationGracePeriodSeconds Hidden Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param hidden.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param hidden.podManagementPolicy Pod management policy for hidden node + ## + podManagementPolicy: OrderedReady + ## @param hidden.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param hidden.affinity Hidden node Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param hidden.nodeSelector Hidden node Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param hidden.tolerations Hidden node Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param hidden.podLabels Hidden node pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param hidden.podAnnotations Hidden node Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Hidden pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context + ## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) + ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Hidden containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context + ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged + ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param hidden.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param hidden.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Hidden containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param hidden.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Hidden pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.livenessProbe.enabled Enable livenessProbe + ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Hidden pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.readinessProbe.enabled Enable readinessProbe + ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param hidden.startupProbe.enabled Enable startupProbe + ## @param hidden.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param hidden.startupProbe.periodSeconds Period seconds for startupProbe + ## @param hidden.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param hidden.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param hidden.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers + ## Ignored when hidden.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers + ## Ignored when hidden.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param hidden.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when hidden.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Hidden Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) + ## + create: false + ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled + ## + minAvailable: 1 + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable + ## + maxUnavailable: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + persistence: + ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC + ## + enabled: true + ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires hidden.persistence.enabled: false + ## + medium: "" + ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param hidden.persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param hidden.persistence.size PVC Storage Request for hidden node data volume + ## + size: 8Gi + ## @param hidden.persistence.annotations PVC annotations + ## + annotations: {} + ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param hidden.persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource + ## + dataSource: {} + service: + ## @param hidden.service.portName MongoDB(®) service port name + ## + portName: "mongodb" + ## @param hidden.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param hidden.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param hidden.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Metrics parameters +## +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: false + ## Bitnami MongoDB(®) Promtheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB(®) Prometheus exporter image repository + ## @skip metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mongodb-exporter + tag: 0.40.0-debian-12-r11 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.username String with username for the metrics exporter + ## If undefined the root user will be used for the metrics exporter + ## + username: "" + ## @param metrics.password String with password for the metrics exporter + ## If undefined but metrics.username is defined, a random password will be generated + ## + password: "" + ## @param metrics.compatibleMode Enables old style mongodb-exporter metrics + compatibleMode: true + collector: + ## @param metrics.collector.all Enable all collectors. Same as enabling all individual metrics + ## Enabling all metrics will cause significant CPU load on mongod + all: false + ## @param metrics.collector.diagnosticdata Boolean Enable collecting metrics from getDiagnosticData + diagnosticdata: true + ## @param metrics.collector.replicasetstatus Boolean Enable collecting metrics from replSetGetStatus + replicasetstatus: true + ## @param metrics.collector.dbstats Boolean Enable collecting metrics from dbStats + dbstats: false + ## @param metrics.collector.topmetrics Boolean Enable collecting metrics from top admin command + topmetrics: false + ## @param metrics.collector.indexstats Boolean Enable collecting metrics from $indexStats + indexstats: false + ## @param metrics.collector.collstats Boolean Enable collecting metrics from $collStats + collstats: false + ## @param metrics.collector.collstatsColls List of \.\ to get $collStats + collstatsColls: [] + ## @param metrics.collector.indexstatsColls List - List of \.\ to get $indexStats + indexstatsColls: [] + ## @param metrics.collector.collstatsLimit Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit + collstatsLimit: 0 + ## @param metrics.extraFlags String with extra flags to the metrics exporter + ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go + ## + extraFlags: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param metrics.command Override default container command (useful when using custom images) + ## @param metrics.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## Metrics exporter container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param metrics.containerPort Port of the Prometheus metrics container + ## + containerPort: 9216 + ## Prometheus Exporter service configuration + ## + service: + ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.type Type of the Prometheus metrics service + ## + type: ClusterIP + ## @param metrics.service.ports.metrics Port of the Prometheus metrics service + ## + ports: + metrics: 9216 + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## Metrics exporter liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Metrics exporter readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param metrics.startupProbe.enabled Enable startupProbe + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param metrics.customLivenessProbe Override default liveness probe for MongoDB(®) containers + ## Ignored when livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Override default readiness probe for MongoDB(®) containers + ## Ignored when readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the metrics container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Rules to be created, check values for an example + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup + ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + ## + ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets + ## rules: + ## - alert: HighRequestLatency + ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + ## for: 10m + ## labels: + ## severity: page + ## annotations: + ## summary: High request latency + ## + rules: [] diff --git a/kubernetes/common/music/Chart.yaml b/kubernetes/common/music/Chart.yaml deleted file mode 100644 index c41eff4d10..0000000000 --- a/kubernetes/common/music/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MUSIC - Multi-site State Coordination Service -name: music -version: 12.0.0 - -dependencies: - - name: music-cassandra - version: ~12.x-0 - repository: 'file://components/music-cassandra' - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' \ No newline at end of file diff --git a/kubernetes/common/music/Makefile b/kubernetes/common/music/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/common/music/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/Makefile b/kubernetes/common/music/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/common/music/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/music-cassandra/.helmignore b/kubernetes/common/music/components/music-cassandra/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/music/components/music-cassandra/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/music/components/music-cassandra/Chart.yaml b/kubernetes/common/music/components/music-cassandra/Chart.yaml deleted file mode 100644 index 6c68082595..0000000000 --- a/kubernetes/common/music/components/music-cassandra/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP - Cassandra Database -name: music-cassandra -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../../../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../../../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt b/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt deleted file mode 100644 index 7f60913d26..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql deleted file mode 100644 index a76d774bd3..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql +++ /dev/null @@ -1,19 +0,0 @@ -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -describe keyspaces; diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql deleted file mode 100644 index 24f2ad77f7..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE ROLE IF NOT EXISTS {{.Values.cql.adminUser.username}} -WITH PASSWORD = '{{.Values.cql.adminUser.password}}' -AND SUPERUSER = true -AND LOGIN = true; - -ALTER ROLE cassandra -WITH PASSWORD = '{{.Values.cql.adminUser.passwordReplace}}'; - diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql deleted file mode 100644 index a516be857b..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql +++ /dev/null @@ -1,23 +0,0 @@ -CREATE KEYSPACE testks - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE testks.keyspace_master_table ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -DESCRIBE KEYSPACES; -DESCRIBE keyspace testks; -SELECT * FROM system_auth.roles; -DROP keyspace testks; - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml deleted file mode 100755 index 011dccda25..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml deleted file mode 100755 index 72733b3088..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-extra-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/extra/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml deleted file mode 100644 index d3c89d4a59..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ /dev/null @@ -1,87 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - music-cassandra - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-update-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.job.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: CASS_HOSTNAME - value: "{{ .Values.job.host }}" - - name: USERNAME - value: "{{ .Values.cql.adminUser.username }}" - - name: PORT - value: "{{ .Values.job.port }}" - - name: PASSWORD - value: "{{ .Values.cql.adminUser.password }}" - - name: TIMEOUT - value: "{{ .Values.job.timeout }}" - - name: DELAY - value: "{{ .Values.job.delay }}" - volumeMounts: - # Admin cql Files that setup Admin Keyspace and Change Admin user. - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin.cql - subPath: admin.cql - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin_pw.cql - subPath: admin_pw.cql - # This is where Apps or MISC will put any of their own startup cql scripts. - - name: {{ include "common.name" . }}-extra-cql - mountPath: /cql/extra - volumes: - - name: {{ include "common.name" . }}-cql - configMap: - name: {{ include "common.fullname" . }}-cql - - name: {{ include "common.name" . }}-extra-cql - configMap: - name: {{ include "common.fullname" . }}-extra-cql - restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml b/kubernetes/common/music/components/music-cassandra/templates/pv.yaml deleted file mode 100644 index 8399bff77d..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/music/components/music-cassandra/templates/service.yaml b/kubernetes/common/music/components/music-cassandra/templates/service.yaml deleted file mode 100644 index 5a26d6701c..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/service.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{ .Values.service.type }} - # Not working, open k8s bug: https://github.com/kubernetes/kubernetes/issues/58662 - publishNotReadyAddresses: true - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName3 }} - - port: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml deleted file mode 100644 index d80e70b5fb..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{/* -# Copyright © 2019 AT&T, Amdocs, Bell Canada, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - podManagementPolicy: {{ .Values.podManagementPolicy }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - readinessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - startupProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} - periodSeconds: {{ .Values.startup.periodSeconds }} - timeoutSeconds: {{ .Values.startup.timeoutSeconds }} - successThreshold: {{ .Values.startup.successThreshold }} - failureThreshold: {{ .Values.startup.failureThreshold }} - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "PID=$(pidof java) && kill $PID && while ps -p $PID > /dev/null; do sleep 1; done"] - env: - {{- $seed_size := default 1 .Values.replicaCount | int -}} - {{- $global := . }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.heap.max }} - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap.min }} - - name: CASSANDRA_SEEDS - value: "{{- range $i, $e := until $seed_size }}{{ template "common.fullname" $global }}-{{ $i }}.{{ include "common.servicename" $global }}{{- if (lt ( add 1 $i ) $seed_size ) }},{{- end }}{{- end }}" - - name: JVM_OPTS - value: {{ .Values.config.jvmOpts | quote }} - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.clusterName | quote }} - - name: CASSANDRA_DC - value: {{ .Values.config.dataCenter | quote }} - - name: CASSANDRA_RACK - value: {{ .Values.config.rackName | quote }} - - name: CASSANDRA_AUTO_BOOTSTRAP - value: {{ .Values.config.autoBootstrap | quote }} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP -{{- if .Values.persistence.enabled }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra -{{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml deleted file mode 100644 index 92ed723989..0000000000 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ /dev/null @@ -1,147 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - persistence: {} - -replicaCount: 1 - -# Cassandra Image - This image is modified from the original on -# Docker Hub where the Security has been turned on. -# When logging into DB the default username and password are 'cassandra' -# kubectl exec -it -n cqlsh -u cassandra -p cassandra -image: onap/music/cassandra_3_11:3.0.24 -pullPolicy: Always - -# Cassandra ENV configuration -config: - heap: - max: 512M - min: 100M - jvmOpts: -Dcassandra.consistent.rangemovement=false - clusterName: music-cluster - dataCenter: onap-1 - rackName: Rack1 - autoBootstrap: true - ports: - cql: &cqlPort 9042 - thrift: &thriftPort 9160 - # If a JVM Agent is in place - # agent: 61621 - -service: - expose: true - type: ClusterIP - name: &cassandraService music-cassandra - internalPort: *cqlPort - portName: cql - internalPort2: *thriftPort - portName2: thrift - internalPort3: 61621 - portName3: agent - -job: - host: *cassandraService - port: *cqlPort - timeout: 30 - delay: 120 - image: onap/music/cassandra_job:3.0.24 - -cql: - keyspace: - replicationClass: "SimpleStrategy" - replicationFactor: 3 - adminUser: - username: nelson24 - password: nelson24 - passwordReplace: A2C4E6G8I0J2L4O6Q8S0U2W4Y6 - -# probe configuration parameters -liveness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 90 - -podManagementPolicy: OrderedReady -updateStrategy: - type: OnDelete - -ingress: - enabled: false - -tolerations: [] - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - ## storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs/ - mountSubPath: common/cassandra/data - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 1.2Gi - requests: - cpu: 160m - memory: 900Mi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} diff --git a/kubernetes/common/music/resources/config/logback.xml b/kubernetes/common/music/resources/config/logback.xml deleted file mode 100755 index 51423e547d..0000000000 --- a/kubernetes/common/music/resources/config/logback.xml +++ /dev/null @@ -1,302 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %X{keyspace} %msg%n - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log.zip - 1GB - 5 - 5GB - - - ${applicationLoggerPattern} - - - - - 256 - true - - - - - - - - keyspace - unknown - - - - ${logDirectory}/${generalLogName}-keyspace.log - - ${logDirectory}/${generalLogName}-${keyspace}.%d{yyyy-MM-dd}.%i.log.zip - 30 - - - ${applicationLoggerPattern} - - - - - - - 256 - true - - - - - - - - - - - ${logDirectory}/${securityLogName}.log - - ${logDirectory}/${securityLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n - - - - - 256 - 0 - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%i.log.zip - - 1 - 9 - - - 5MB - - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - ${debugLogDirectory}/${debugLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${debugLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/common/music/resources/config/music-sb.properties b/kubernetes/common/music/resources/config/music-sb.properties deleted file mode 100755 index 7a13f10d8e..0000000000 --- a/kubernetes/common/music/resources/config/music-sb.properties +++ /dev/null @@ -1,13 +0,0 @@ -server.port=8443 -server.servlet.context-path=/MUSIC/rest -spring.jackson.mapper.ACCEPT_CASE_INSENSITIVE_ENUMS=true -#server.ssl.enabled=false -server.tomcat.max-threads=100 -#logging.file=/opt/app/music/logs/MUSIC/music-app.log -#logging.config=file:/opt/app/music/etc/logback.xml -security.require-ssl=true -server.ssl.key-store=/opt/app/aafcertman/local/org.onap.music.jks -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-provider=SUN -server.ssl.key-store-type=JKS - diff --git a/kubernetes/common/music/resources/config/music.properties b/kubernetes/common/music/resources/config/music.properties deleted file mode 100755 index a7681d0a02..0000000000 --- a/kubernetes/common/music/resources/config/music.properties +++ /dev/null @@ -1,24 +0,0 @@ -lock.using={{.Values.properties.lockUsing}} -cassandra.host={{.Values.properties.cassandraHost}} -cassandra.port={{ .Values.properties.cassandraPort }} -lock.lease.period={{.Values.properties.lockLeasePeriod}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} -cassandra.connecttimeoutms={{.Values.properties.cassandraConnecttimeoutms}} -cassandra.readtimeoutms={{.Values.properties.cassandraReadtimeoutms}} -cadi={{.Values.properties.cadi}} -music.aaf.ns={{.Values.properties.musicAafNs}} -keyspace.active={{.Values.properties.keyspaceActive}} -transId.header.required={{.Values.properties.transIdRequired}} -transId.header.prefix={{.Values.properties.transIdPrefix}} -conversation.header.required={{.Values.properties.conversationRequired}} -conversation.header.prefix={{.Values.properties.conversationPrefix}} -clientId.header.required={{.Values.properties.clientIdRequired}} -clientId.header.prefix={{.Values.properties.clientIdPrefix}} -messageId.header.required={{.Values.properties.messageIdRequired}} -messageId.header.prefix={{.Values.properties.messageIdPrefix}} -retry.count={{.Values.properties.retryCount}} -lock.daemon.sleeptime.ms={{.Values.properties.lockDaemonSleeptimeMs}} -keyspaces.for.lock.cleanup={{.Values.properties.keyspaceForLockCleanup}} -create.lock.wait.period.ms=0 -create.lock.wait.increment.ms=0 diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh deleted file mode 100755 index eb84b084d0..0000000000 --- a/kubernetes/common/music/resources/config/startup.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh - -{{/* -# ============LICENSE_START========================================== -# org.onap.music -# =================================================================== -# Copyright (c) 2019 AT&T Intellectual Property -# =================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================= -# ==================================================================== -*/}} - -echo "Running startup script to get password from certman" -PWFILE=/opt/app/aafcertman/.password -LOGFILE=/opt/app/music/logs/MUSIC/music-sb.log -PROPS=/opt/app/music/etc/music-sb.properties -LOGBACK=/opt/app/music/etc/logback.xml -LOGGING= -DEBUG_PROP= -# Debug Setup. Uses env variables -# DEBUG and DEBUG_PORT -# DEBUG=true/false | DEBUG_PORT= -if [ "${DEBUG}" = "true" ]; then - if [ "${DEBUG_PORT}" = "" ]; then - DEBUG_PORT=8000 - fi - echo "Debug mode on" - DEBUG_PROP="-Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=${DEBUG_PORT},suspend=n" -fi - -# LOGBACK file: if /opt/app/music/etc/logback.xml exists thenuse that. -if [ -f $LOGBACK ]; then - LOGGING="--logging.config=file:${LOGBACK}" -fi - -# Get Passwords from /opt/app/aafcertman -if [ -f $PWFILE ]; then - echo "Found ${PWFILE}" >> $LOGFILE - PASSWORD=$(cat ${PWFILE}) -else - PASSWORD=changeit - echo "#### Using Default Password for Certs" >> ${LOGFILE} -fi - -# If music-sb.properties exists in /opt/app/music/etc then use that to override the application.properties -if [ -f $PROPS ]; then - # Run with different Property file - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE} -else - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --server.ssl.key-store-password=${PASSWORD} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --server.ssl.key-store-password="${PASSWORD}" ${LOGGING} 2>&1 | tee ${LOGFILE} -fi - - - - diff --git a/kubernetes/common/music/templates/configmap.yaml b/kubernetes/common/music/templates/configmap.yaml deleted file mode 100644 index d42cf2e7e0..0000000000 --- a/kubernetes/common/music/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml deleted file mode 100644 index 53d5a366f7..0000000000 --- a/kubernetes/common/music/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-cassandra-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-music-cassandra-config" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.certInitializer.initContainer" . | indent 8 | trim }} - - command: - - sh - args: - - -c - - "export KEYSTORE_PASSWORD=$(cat /opt/app/aafcertman/local/.pass); cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /config-input - name: properties-music-scrubbed - - mountPath: /config - name: properties-music - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - containers: - # MUSIC Container - - name: "{{ include "common.name" . }}-springboot" - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - env: - - name: SPRING_OPTS - value: "{{ .Values.springOpts }}" - - name: JAVA_OPTS - value: "{{ .Values.javaOpts }}" - - name: DEBUG - value: "{{ .Values.debug }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: properties-music - mountPath: /opt/app/music/etc/music.properties - subPath: music.properties - - name: properties-music - mountPath: /opt/app/music/etc/music-sb.properties - subPath: music-sb.properties - - name: properties-music-scrubbed - mountPath: /opt/app/music/etc/logback.xml - subPath: logback.xml - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: shared-data - emptyDir: {} - - name: certificate-vol - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-music-scrubbed - configMap: - name: {{ include "common.fullname" . }} - - name: properties-music - emptyDir: - medium: Memory diff --git a/kubernetes/common/music/templates/secrets.yaml b/kubernetes/common/music/templates/secrets.yaml deleted file mode 100644 index 15791a85d7..0000000000 --- a/kubernetes/common/music/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/common/music/templates/service.yaml b/kubernetes/common/music/templates/service.yaml deleted file mode 100644 index 3bd32a9419..0000000000 --- a/kubernetes/common/music/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml deleted file mode 100644 index f578949196..0000000000 --- a/kubernetes/common/music/values.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# Copyright © 2018-2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - truststore: truststoreONAPall.jks - - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: cassa-secret - type: basicAuth - login: '{{ .Values.properties.cassandraUser }}' - password: '{{ .Values.properties.cassandraPassword }}' - passwordPolicy: required - - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/music/music_sb:3.2.40 -pullPolicy: Always - -job: - host: cassandra - port: 9042 - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 6 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - port: 8443 - - -# Java options that need to be passed to jave on CLI -#javaOpts: -Xms256m -Xmx2048m -javaOpts: -# Options that need to be passed to CLI for Sprngboot, pw is a secret passed in through ENV -springOpts: --spring.config.location=file:/opt/app/music/etc/music-sb.properties -# Resource Limit flavor -By Default using small -flavor: large -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1000m - memory: 1G - requests: - cpu: 300m - memory: 512Mi - large: - limits: - cpu: 1500m - memory: 3Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -readiness: - initialDelaySeconds: 350 - periodSeconds: 120 - port: 8443 - -service: - useNodePortExt: true - type: NodePort - name: music - ports: - - name: https-api - port: 8443 - nodePort: '07' - -# Turn on Debugging true/false -debug: false -ingress: - enabled: false - -properties: - lockUsing: "cassandra" - # Comma dilimited list of hosts - cassandraHost: "music-cassandra" - cassandraUser: "nelson24" - cassandraPassword: "nelson24" - cassandraConnecttimeoutms: 12000 - cassandraPort: 9042 - # Connection Timeout for Cassandra in ms - # Read Timeout for Cassandra in ms - cassandraReadtimeoutms: 12000 - keyspaceActive: true - # Enable CADI - cadi: false - # Special headers that may be passed and if they are required. - # With the ability to add a Prefix if required. - transIdRequired: false - transIdPrefix: X-ATT- - conversationRequired: false - conversationPrefix: X-CSI- - clientIdRequired: false - clientIdPrefix: - messageIdRequired: false - messageIdPrefix: - - # sleep time for lock cleanup daemon, negative values turn off daemon -##### Lock settings - retryCount: 3 - lockLeasePeriod: 6000 - # sleep time for lock cleanup daemon, negative values turn off daemon - lockDaemonSleeptimeMs: 30000 - #comma separated list of keyspace names - keyspaceForLockCleanup: - - -logback: - errorLogLevel: info - securityLogLevel: info - applicationLogLevel: info - metricsLogLevel: info - auditLogLevel: info - # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. - rootLogLevel: INFO - -#sub-charts configuration -certInitializer: - nameOverride: music-cert-initializer - fqdn: "music.onap" - app_ns: "org.osaaf.aaf" - fqi: "music@music.onap.org" - fqi_namespace: org.onap.music - public_fqdn: "music.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/aafcertman - aaf_add_config: > - echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml deleted file mode 100644 index 17eaa684d8..0000000000 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Name Generation Micro Service -name: network-name-gen -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: mariadb-galera - version: ~12.x-0 - repository: 'file://../mariadb-galera' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: 'file://../mariadb-init' - condition: not global.mariadbGalera.localCluster \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml deleted file mode 100644 index 97fece8a54..0000000000 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: -{{- if .Values.global.mariadbGalera.localCluster }} - - --container-name - - {{ index .Values "mariadb-galera" "nameOverride" }} -{{- else }} - - --job-name - - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job -{{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }} - command: - - bash - args: - - '-c' - - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: SPRING_PROFILE - value: "{{ .Values.config.springProfile }}" - - name: NENG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} - - name: NENG_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} - - name: NENG_DB_URL - value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} - - name: POL_CLIENT_AUTH - value: "{{ .Values.config.polClientAuth }}" - - name: POL_BASIC_AUTH_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} - - name: POL_BASIC_AUTH_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} - - name: POL_URL - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.polUrl.https }}" - {{- else }} - value: "{{ .Values.config.polUrl.http }}" - {{- end }} - - name: POL_ENV - value: "{{ .Values.config.polEnv }}" - - name: POL_REQ_ID - value: "{{ .Values.config.polReqId }}" - - name: AAI_CERT_PASS - value: "{{ .Values.config.aaiCertPass }}" - - name: AAI_CERT_PATH - value: "{{ .Values.config.aaiCertPath }}" - - name: AAI_URI - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.aaiUri.https }}" - {{- else }} - value: "{{ .Values.config.aaiUri.http }}" - {{- end }} - - name: AAI_AUTH - value: "{{ .Values.config.aaiAuth }}" - - name: DISABLE_HOST_VERIFICATION - value: "{{ .Values.config.disableHostVerification }}" - volumeMounts: - - name: certs - mountPath: /opt/etc/config/aai_keystore - subPath: aai_keystore - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: certs - secret: - secretName: {{ include "common.release" . }}-aai-keystore - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/network-name-gen/templates/service.yaml b/kubernetes/common/network-name-gen/templates/service.yaml deleted file mode 100644 index 753448c5b7..0000000000 --- a/kubernetes/common/network-name-gen/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml deleted file mode 100644 index bfa5637275..0000000000 --- a/kubernetes/common/network-name-gen/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: IfNotPresent - - mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: neng-db-secret - name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: pol-basic-auth-secret - name: '{{ include "common.release" . }}-pol-basic-auth-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' - login: '{{ .Values.config.polBasicAuthUser }}' - password: '{{ .Values.config.polBasicAuthPassword }}' - -# sub-chart config -mariadb-galera: - db: - user: sdnctl - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName nengdb - nameOverride: nengdb - service: - name: nengdb - portName: nengdbport - replicaCount: 1 - persistence: - enabled: true - mountSubPath: network-name-gen/data - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: nengdb-init - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-apps-ms-neng:1.4.0 -pullPolicy: IfNotPresent - -# application configuration -config: - db: - userName: nenguser - # userPassword: password - # userCredentialsExternalSecret: some-secret - springProfile: live - polClientAuth: cHl0aG9uOnRlc3Q= - polBasicAuthUser: healthcheck - polBasicAuthPassword: zb!XztG34 - polUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision - http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision - polEnv: TEST - polReqId: xx - disableHostVerification: true - aaiCertPass: changeit - aaiCertPath: /opt/etc/config/aai_keystore - aaiAuth: QUFJOkFBSQ== - aaiUri: - https: https://aai:8443/aai/v14/ - http: http://aai:8080/aai/v14/ - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: neng-serv - portName: http - internalPort: 8080 - externalPort: 8080 - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 9fe2eaedc8..81f566f9e1 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -16,13 +16,19 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index d9a7386f83..cc7d410eb2 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -28,26 +28,18 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.global.postgres.container.name }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - command: - sh @@ -80,26 +72,16 @@ spec: value: "{{ .Values.config.pgDatabase }}" - name: PG_ROOT_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/setup.sql - name: config - subPath: setup.sql - - mountPath: /config - name: pgconf image: {{ include "repositoryGenerator.image.postgres" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /config-input/setup.sql name: config subPath: setup.sql - mountPath: /config name: pgconf - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -109,10 +91,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }} @@ -120,5 +100,4 @@ spec: emptyDir: medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d6d51f0b51..160e6720ed 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -19,6 +19,7 @@ global: postgres: service: name: pgset + name2: tcp-pgset-primary container: name: postgres @@ -76,20 +77,31 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: postgres-init + roles: + - read + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_job_container: containers: - '{{ include "common.name" . }}-update-config' \ No newline at end of file diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml index d09f412311..3920d8e73d 100644 --- a/kubernetes/common/postgres/Chart.yaml +++ b/kubernetes/common/postgres/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP Postgres Server name: postgres -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 1051aaff0b..ff701a2c10 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -27,6 +27,12 @@ metadata: namespace: {{ include "common.namespace" $dot }} labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} release: {{ include "common.release" $dot }} heritage: {{ $dot.Release.Service }} @@ -42,11 +48,16 @@ spec: metadata: labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} release: {{ include "common.release" $dot }} name: "{{ index $dot.Values "container" "name" $pgMode }}" spec: - imagePullSecrets: - - name: "{{ include "common.namespace" $dot }}-docker-registry-key" + {{- include "common.imagePullSecrets" $dot | nindent 6 }} initContainers: - command: - sh @@ -158,7 +169,50 @@ spec: - mountPath: /backup name: {{ include "common.fullname" $dot }}-backup readOnly: true - resources: {{ include "common.resources" $dot | nindent 12 }} + resources: {{ include "common.resources" $dot | nindent 10 }} + {{- if (default false $dot.Values.metrics.enabled) }} + - name: {{ include "common.name" $dot }}-metrics + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ $dot.Values.metrics.image }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.metrics.pullPolicy | quote}} + env: + - name: POSTGRES_METRICS_EXTRA_FLAGS + value: {{ default "" (join " " $dot.Values.metrics.extraFlags) | quote }} + - name: DATA_SOURCE_USER + value: "{{ $dot.Values.metrics.postgresUser }}" + - name: DATA_SOURCE_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 12 }} + command: + - sh + - -c + - | + DATA_SOURCE_URI="127.0.0.1:5432/?sslmode=disable" ./bin/postgres_exporter $POSTGRES_METRICS_EXTRA_FLAGS + ports: + {{- range $index, $metricPort := $dot.Values.metrics.ports }} + - name: {{ $metricPort.name }} + containerPort: {{ $metricPort.port }} + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.readinessProbe.failureThreshold }} + {{ include "common.containerSecurityContext" $dot | indent 10 | trim }} + resources: {{- toYaml $dot.Values.metrics.resources | nindent 12 }} + {{ end }} {{- if $dot.Values.nodeSelector }} nodeSelector: {{ toYaml $dot.Values.nodeSelector | indent 10 }} @@ -168,9 +222,6 @@ spec: {{ toYaml $dot.Values.affinity | indent 10 }} {{- end }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" $dot }}-backup emptyDir: {} - name: {{ include "common.fullname" $dot }}-data diff --git a/kubernetes/common/postgres/templates/configmap.yaml b/kubernetes/common/postgres/templates/configmap.yaml index e8bfd1194a..ff4f976bf0 100644 --- a/kubernetes/common/postgres/templates/configmap.yaml +++ b/kubernetes/common/postgres/templates/configmap.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: ConfigMap metadata: @@ -26,4 +27,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} - +{{- end }} diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml index c8a000142e..535eefa8cf 100644 --- a/kubernetes/common/postgres/templates/deployment-primary.yaml +++ b/kubernetes/common/postgres/templates/deployment-primary.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml index dc19c2d985..97c7e11053 100644 --- a/kubernetes/common/postgres/templates/deployment-replica.yaml +++ b/kubernetes/common/postgres/templates/deployment-replica.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml new file mode 100644 index 0000000000..00a5182eb1 --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name2 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type2 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port2 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.primary }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml new file mode 100644 index 0000000000..b8b9e793e8 --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name3 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type3 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port3 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.replica }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/postgres.yaml b/kubernetes/common/postgres/templates/postgres.yaml new file mode 100644 index 0000000000..aca6aa260f --- /dev/null +++ b/kubernetes/common/postgres/templates/postgres.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.postgres.useOperator }} +{{ include "common.postgresOpInstance" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/pv-primary.yaml b/kubernetes/common/postgres/templates/pv-primary.yaml index e1ff1f9f4e..8db79d665e 100644 --- a/kubernetes/common/postgres/templates/pv-primary.yaml +++ b/kubernetes/common/postgres/templates/pv-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -37,3 +38,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary {{- end -}} {{- end -}} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/pv-replica.yaml b/kubernetes/common/postgres/templates/pv-replica.yaml index d553c36680..af46f611c8 100644 --- a/kubernetes/common/postgres/templates/pv-replica.yaml +++ b/kubernetes/common/postgres/templates/pv-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -35,5 +36,6 @@ spec: persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} hostPath: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/replica -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-primary.yaml b/kubernetes/common/postgres/templates/pvc-primary.yaml index a47d3ed56e..6aaa52913e 100644 --- a/kubernetes/common/postgres/templates/pvc-primary.yaml +++ b/kubernetes/common/postgres/templates/pvc-primary.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-replica.yaml b/kubernetes/common/postgres/templates/pvc-replica.yaml index 1e453fbcfd..f59adf736a 100644 --- a/kubernetes/common/postgres/templates/pvc-replica.yaml +++ b/kubernetes/common/postgres/templates/pvc-replica.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/service-common.yaml b/kubernetes/common/postgres/templates/service-common.yaml index 6e74a06616..6ec83dc0f4 100644 --- a/kubernetes/common/postgres/templates/service-common.yaml +++ b/kubernetes/common/postgres/templates/service-common.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-primary.yaml b/kubernetes/common/postgres/templates/service-primary.yaml index 2965b7df81..bc60d27f44 100644 --- a/kubernetes/common/postgres/templates/service-primary.yaml +++ b/kubernetes/common/postgres/templates/service-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.primary}}" release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-replica.yaml b/kubernetes/common/postgres/templates/service-replica.yaml index d92a0833af..68694561bd 100644 --- a/kubernetes/common/postgres/templates/service-replica.yaml +++ b/kubernetes/common/postgres/templates/service-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.replica}}" release: {{ include "common.release" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/servicemonitor.yaml b/kubernetes/common/postgres/templates/servicemonitor.yaml new file mode 100644 index 0000000000..522e515545 --- /dev/null +++ b/kubernetes/common/postgres/templates/servicemonitor.yaml @@ -0,0 +1,20 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if not .Values.global.postgres.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index 93f6d66385..c0cdfef2d2 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -19,6 +19,9 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + # flag to enable the DB creation via mariadb-operator + useOperator: false ################################################################# # Secrets metaconfig @@ -38,6 +41,27 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}' password: '{{ .Values.config.pgPrimaryPassword }}' +################################################################# +# Postgres Operator configuration defaults. +# Example: https://github.com/CrunchyData/postgres-operator-examples/tree/main/helm/postgres +################################################################# +postgresOperator: + postgresVersion: 16 + # Possibility to override images + #imagePostgres: + #imagePgBouncer: + #imageExporter: + #imagePgBackRest: + instanceName: instance1 + instanceReplicas: 2 + #instanceStorageClassName: + instanceSize: 1Gi + #instanceCPU: + #instanceMemory: + bouncerReplicas: 2 + monitoring: true + #monitoringConfig: {} + ################################################################# # Application configuration defaults. ################################################################# @@ -136,16 +160,114 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} + +metrics: + enabled: false + ## Bitnami Postgres Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/postgres-exporter/tags/ + ## + image: bitnami/postgres-exporter:0.11.1 + pullPolicy: Always + ports: + - name: tcp-metrics + port: 9187 + ## Postgres exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size + ## + extraFlags: [] + ## Postgres Prometheus exporter containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: "0.5" + memory: "200Mi" + requests: + cpu: "0.5" + memory: "200Mi" + ## Postgres metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + postgresUser: "postgres" + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + ## Postgres Prometheus exporter service parameters + ## + service: + type2: ClusterIP + port2: 9187 + type3: ClusterIP + port3: 9187 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + serviceMonitor: + enabled: false + basicAuth: + enabled: false + ## Namespace in which Prometheus is running + ## + ## namespace: monitoring + ## + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## interval: 10s + ## + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## scrapeTimeout: 10s + ## Add your label under which prometheus is discovering resources + ## labels: + ## release: kube-prometheus-stack + ## + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## monitoring: enabled + ## + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + ## + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml index 6caea5f899..bb2986a9fb 100644 --- a/kubernetes/common/readinessCheck/Chart.yaml +++ b/kubernetes/common/readinessCheck/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Template used to wait for other deployment/sts/jobs in onap name: readinessCheck -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 90c278e4c5..51791fec13 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -35,6 +35,28 @@ - aaf-cm - aaf-service + the powerful one allows also to wait for pod names with this + (has to start with the given pod name): + wait_for: + name: myname + pods: + - test-pod + + the powerful one allows also to wait for a service to be + available, which means all pods are deployed, which are + selected by the service definition: + wait_for: + name: myservice + services: + - mariadb-galera-service + + the powerful one allows also to wait for pods with the + given "app" label: + wait_for: + name: myname + apps: + - mariadb-galera + the powerful one allows also to wait for jobs with this: wait_for: name: myname @@ -48,8 +70,8 @@ - .dot : environment (.) - .initRoot : the root dictionary of readinessCheck submodule (default to .Values.readinessCheck) - - .wait_for : list of containers / jobs to wait for (default to - .Values.wait_for) + - .wait_for : list of service / containers / pods /apps / jobs to wait for + (default to .Values.wait_for) Example calls: {{ include "common.readinessCheck.waitFor" . }} @@ -62,6 +84,9 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $wait_for := default $initRoot.wait_for .wait_for -}} {{- $containers := index (ternary (dict "containers" $wait_for) $wait_for (kindIs "slice" $wait_for)) "containers" -}} +{{- $services := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "services" -}} +{{- $pods := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "pods" -}} +{{- $apps := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "apps" -}} {{- $namePart := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "name" -}} {{- $jobs := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "jobs" -}} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness @@ -77,6 +102,18 @@ - --container-name - {{ tpl $container $dot }} {{- end }} + {{- range $pod := default (list) $pods }} + - --pod-name + - {{ tpl $pod $dot }} + {{- end }} + {{- range $service := default (list) $services }} + - --service-name + - {{ tpl $service $dot }} + {{- end }} + {{- range $app := default (list) $apps }} + - --app-name + - {{ tpl $app $dot }} + {{- end }} {{- range $job := $jobs }} - --job-name - {{ tpl $job $dot }} diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml index 128c5057cc..239743e106 100644 --- a/kubernetes/common/readinessCheck/values.yaml +++ b/kubernetes/common/readinessCheck/values.yaml @@ -19,8 +19,8 @@ user: 100 group: 65533 limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" diff --git a/kubernetes/common/repository-wrapper/Chart.yaml b/kubernetes/common/repository-wrapper/Chart.yaml index 3823e64cc5..c9894d2130 100644 --- a/kubernetes/common/repository-wrapper/Chart.yaml +++ b/kubernetes/common/repository-wrapper/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Wrapper chart to allow docker secret to be shared all instances name: repository-wrapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/repositoryGenerator/Chart.yaml b/kubernetes/common/repositoryGenerator/Chart.yaml index 52a2793963..09d6836574 100644 --- a/kubernetes/common/repositoryGenerator/Chart.yaml +++ b/kubernetes/common/repositoryGenerator/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: Template used to generate the right repository link name: repositoryGenerator -version: 12.0.0 +version: 13.0.0 diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 1b99285a80..1da838a5b9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -58,6 +58,16 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "elasticRepository") .) }} {{- end -}} +{{/* + Resolve the name of the quay.io Repository image repository. + + - .Values.global.quayRepository : default image quayRepository for all images using quay repository + - .Values.quayRepositoryOverride : override global quayRepository repository on a per chart basis +*/}} +{{- define "repositoryGenerator.quayRepository" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "quayRepository") .) }} +{{- end -}} + {{/* Resolve the name of the googleK8sRepository image repository. @@ -137,8 +147,8 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "readinessImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.dbcClient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dbcClientImage") .) }} +{{- define "repositoryGenerator.image.drProvClient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "drProvClientImage") .) }} {{- end -}} {{- define "repositoryGenerator.image.quitQuit" -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index aa6159c2b2..da10d82035 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -21,6 +21,7 @@ global: elasticRepository: docker.elastic.co googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io + quayRepository: quay.io # common global images busyboxImage: busybox:1.34.1 @@ -38,10 +39,10 @@ global: mariadbImage: bitnami/mariadb:10.5.8 nginxImage: bitnami/nginx:1.21.4 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - dbcClientImage: onap/dmaap/dbc-client:2.0.10 - quitQuitImage: onap/oom/readiness:4.1.0 + drProvClientImage: onap/dmaap/datarouter-prov-client:2.1.15 + quitQuitImage: onap/oom/readiness:6.0.3 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -74,5 +75,5 @@ imageRepoMapping: postgresImage: dockerHubRepository readinessImage: repository dcaePolicySyncImage: repository - dbcClientImage: repository + drProvClientImage: repository quitQuitImage: repository diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml index 717d12a2a4..5de7b72299 100644 --- a/kubernetes/common/roles-wrapper/Chart.yaml +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -16,9 +16,9 @@ apiVersion: v2 description: Wrapper chart to allow default roles to be shared among onap instances name: roles-wrapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' \ No newline at end of file diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml index 0be6c7bbd6..3438b6e36e 100644 --- a/kubernetes/common/roles-wrapper/templates/role.yaml +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -30,6 +30,9 @@ rules: - batch - extensions resources: + - endpoints + - services + - nodes - pods - deployments - deployments/status diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index 2de9036315..7afd31f4d9 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,9 +18,9 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' \ No newline at end of file diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 7c272aecda..11593ccccb 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ {{- range $role_type := $dot.Values.roles }} {{/* retrieve the names for generic roles */}} {{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} -{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} {{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} {{- end }} --- @@ -36,4 +37,3 @@ roleRef: name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} - diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 2055885f2a..83cb945ba9 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,5 +38,114 @@ rules: verbs: - create {{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - endpoints + - services + - nodes + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 22faeb6904..4c9f75f38d 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,13 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Default roles will be created by roles wrapper -# It won't work if roles wrapper is disabled. +# Global flag to enable the creation of default roles instead of using +# common roles-wrapper +global: + createDefaultRoles: false + +# Default roles will be created by roles wrapper, +# if "createDefaultRoles=false" roles: - nothing # - read # - create +# Flag to enable the creation of default roles instead of using +# common roles-wrapper +createDefaultRoles: false defaultRoles: - nothing - read diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index cb9965f6b6..d8b9869817 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -22,15 +22,15 @@ apiVersion: v2 appVersion: "1.0" description: ONAP timescaledb name: timescaledb -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 2e83c5b1b0..653326be5f 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -74,8 +74,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} - name: PGDATA value: /var/lib/postgresql/data/pgdata - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: {{ include "common.fullname" . }}-init mountPath: /docker-entrypoint-initdb.d diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 72a4b6ffd0..2643f55062 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -63,18 +63,18 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} diff --git a/kubernetes/consul/.helmignore b/kubernetes/consul/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/consul/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/consul/Chart.yaml b/kubernetes/consul/Chart.yaml deleted file mode 100644 index 0000463560..0000000000 --- a/kubernetes/consul/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Agent -name: consul -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: consul-server - version: ~12.x-0 - repository: 'file://components/consul-server' - condition: consul-server.enabled - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/Makefile b/kubernetes/consul/Makefile deleted file mode 100644 index c483a02eab..0000000000 --- a/kubernetes/consul/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/Makefile b/kubernetes/consul/components/Makefile deleted file mode 100644 index fa3c4b9af9..0000000000 --- a/kubernetes/consul/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/consul-server/Chart.yaml b/kubernetes/consul/components/consul-server/Chart.yaml deleted file mode 100644 index 8eb28ce1d4..0000000000 --- a/kubernetes/consul/components/consul-server/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Server -name: consul-server -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/components/consul-server/templates/NOTES.txt b/kubernetes/consul/components/consul-server/templates/NOTES.txt deleted file mode 100644 index 157fe92427..0000000000 --- a/kubernetes/consul/components/consul-server/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/consul/components/consul-server/templates/service.yaml b/kubernetes/consul/components/consul-server/templates/service.yaml deleted file mode 100644 index c24ddfb7e4..0000000000 --- a/kubernetes/consul/components/consul-server/templates/service.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-ui - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - {{- else -}} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/consul/components/consul-server/templates/statefulset.yaml b/kubernetes/consul/components/consul-server/templates/statefulset.yaml deleted file mode 100644 index 8e872b9c87..0000000000 --- a/kubernetes/consul/components/consul-server/templates/statefulset.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: ["/usr/local/bin/docker-entrypoint.sh"] - args: - - "agent" - - "-bootstrap-expect={{ .Values.replicaCount }}" - - "-enable-script-checks" -{{- $fullname := include "common.fullname" . -}} -{{- $servname := include "common.servicename" . -}} -{{- range $i,$t := until (int .Values.replicaCount)}} - - "-retry-join={{ $fullname }}-{{$i}}.{{ $servname }}" -{{- end }} - - "-client=0.0.0.0" - - "-server" - - "-ui" - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/consul/components/consul-server/values.yaml b/kubernetes/consul/components/consul-server/values.yaml deleted file mode 100644 index d4e649444a..0000000000 --- a/kubernetes/consul/components/consul-server/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - repository: nexus3.onap.org:10001 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 5 - -service: - type: ClusterIP - name: consul-server - portName: consul-join - internalPort: 8301 - type2: ClusterIP - portName2: consul-ui - internalPort2: 8500 - nodePort2: 70 - -ingress: - enabled: false - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 25Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul-server - roles: - - read diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json deleted file mode 100755 index cd715f8b6a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "service": { - "name": "Health Check: Application Authorization Framework", - "checks": [ - { - "id": "aaf-service", - "name": "AAF Service Health Check", - "http": "https://aaf-service:8100/authz/perms/user/demo@people.osaaf.org", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "20s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json deleted file mode 100644 index 965732da5d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: Secret Management Service (sms)", - "check":[ - { - "id" : "aaf-sms-health", - "name": "SMS Health Check", - "http": "https://aaf-sms.{{ .Release.Namespace }}:10443/v1/sms/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "20s", - "timeout": "5s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json deleted file mode 100644 index be41934e77..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Synapse Data Routing Service", - "checks": [ - { - "id": "data-router-process", - "name": "Synapse Presence", - "script": "/consul/scripts/data-router-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json deleted file mode 100644 index 044a844e35..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Model Loader", - "checks": [ - { - "id": "model-loader-process", - "name": "Model Loader Presence", - "script": "/consul/scripts/model-loader-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json deleted file mode 100644 index 0817a19cf0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "service": { - "name": "A&AI Search Data Service", - "checks": [ - { - "id": "elasticsearch", - "name": "Search Data Service Document Store", - "http": "http://aai-elasticsearch:9200/_cat/indices?v", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "elasticsearch-write-health", - "name": "Search Data Service Document Store Write Test", - "script": "/consul/scripts/aai-search-storage-write-script.sh", - "interval": "60s" - }, - { - "id": "search-data-service-availability", - "name": "Search Data Service Availability", - "script": "curl -k --cert /consul/certs/client-cert-onap.crt.pem --cert-type PEM --key /consul/certs/client-cert-onap.key.pem --key-type PEM https://search-data-service:9509/services/search-data-service/v1/jaxrsExample/jaxrs-services/echo/up 2>&1 | grep 'Up'", - "interval": "15s" - }, - { - "id": "search-data-service-api", - "name": "Search Data Service Operational Test", - "script": "/consul/scripts/search-data-service-availability.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json deleted file mode 100644 index 99acff4e61..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "service": { - "name": "Active and Available Inventory", - "checks": [ - { - "id": "aai-service", - "name": "Core A&AI", - "http": "https://aai.{{ .Release.Namespace }}:8443/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-resources", - "name": "Resources Microservice", - "http": "https://aai-resources.{{ .Release.Namespace }}:8447/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-traversal", - "name": "Traversal Microservice", - "http": "https://aai-traversal.{{ .Release.Namespace }}:8446/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json deleted file mode 100644 index bf6305c1d0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI UI Backend Service", - "checks": [ - { - "id": "sparky-be-process", - "name": "UI Backend Presence", - "script": "/consul/scripts/sparky-be-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json deleted file mode 100644 index c86361743a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - Dgbuilder", - "checks": [ - { - "id": "appc-dgbuilder", - "name": "APPC-Dgbuilder Server Health Check", - "http": "http://appc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json b/kubernetes/consul/resources/config/consul-agent-config/appc-health.json deleted file mode 100644 index 86f2ce8da0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC", - "checks": [ - { - "id": "appc-dbhost-healthcheck", - "name": "APPC DBHost Health Check", - "script": "/consul/scripts/appc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json deleted file mode 100644 index 230d31f509..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-01", - "checks": [ - { - "id": "appc-sdnctldb01", - "name": "APPC SDNCTLDB01 Health Check", - "tcp": "appc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json deleted file mode 100644 index da669e3ac0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-02", - "checks": [ - { - "id": "appc-sdnctldb02", - "name": "APPC SDNCTLDB02 Health Check", - "tcp": "appc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json deleted file mode 100644 index 1548cab909..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - SDN Host", - "checks": [ - { - "id": "appc-sdnhost", - "name": "APPC SDN Host Health Check", - "http": "http://appc-sdnhost:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem deleted file mode 100644 index b842710c11..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem +++ /dev/null @@ -1,25 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -subject=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP -issuer=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP ------BEGIN CERTIFICATE----- -MIIDWTCCAkGgAwIBAgIERWHcIzANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJD -QTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMQ0wCwYDVQQKEwRP -TkFQMQ0wCwYDVQQLEwRPTkFQMQ0wCwYDVQQDEwRPTkFQMB4XDTE3MDQyNzIwMDUz -N1oXDTM3MDExMjIwMDUzN1owXTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFy -aW8xDzANBgNVBAcTBk90dGF3YTENMAsGA1UEChMET05BUDENMAsGA1UECxMET05B -UDENMAsGA1UEAxMET05BUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AJsQpjB5U0exZHWKVt6xDzmBBhLiAtv7Qb8zsbAcIZPxuKsieOJykWDCaf+Ip7oe -+b86nf4LmKrNm4KMsDNnlU7Bg7+3HFa7m+tZgfILORv2HPMRXgvcqPFr1dxgTBkp -xtlcGXHhA8oBpmqTmOCitE+ngVH+FBVxN93aHEDz+Dgc06PyzoP/xWI0GjvlOsv/ -qZeXCj6K4Hpu/FSPNk06Piq9M+rDwUMuyaRtY9FWjYMvkMCrRvlZUoAasrC0BGyR -UAboHdk5aW3AZ0cVR6NMSlELcvCUFqzacAOWLgffX3b5vhkOaAsmnnzmxANV6s0t -SqrD6Mmjg5OcYJW4VFKrwjUCAwEAAaMhMB8wHQYDVR0OBBYEFNji+IU70Qgptn4i -boq/rOKNAg8tMA0GCSqGSIb3DQEBCwUAA4IBAQBc5mJLeeUUzJ4MujZjn0DS3Lvv -THJTE54Id1euT3ddzfX3htF0Ewd90YzmLuj1y8r8PXj7b/8Bq+cvoKbmJ42c8h3X -If0tqde+gYWx1X3NAWHwz00Cje9R0KY4Bx1Cvr39jTw/ESnuSQDKPHBnn8WyAS9K -08ZhvrVSK54d3U7tDVut9UVva8Scdi12utTAWaOIlusLo3bU9Z6t+tgg7AnQBYc0 -N9oCMbq/MACFlLSdc1J6NITYS8XHY2RS8u88eLbWkCcEEx1glYz/PMX3+V1Ow9Uy -MjenEx8ifl96ZSOe9XsI2gl2TCaevCY/QuREu4LZB9XmO0gncH7gF5w9Bw2b ------END CERTIFICATE----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem deleted file mode 100644 index 95de561981..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem +++ /dev/null @@ -1,32 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -Key Attributes: ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbEKYweVNHsWR1 -ilbesQ85gQYS4gLb+0G/M7GwHCGT8birInjicpFgwmn/iKe6Hvm/Op3+C5iqzZuC -jLAzZ5VOwYO/txxWu5vrWYHyCzkb9hzzEV4L3Kjxa9XcYEwZKcbZXBlx4QPKAaZq -k5jgorRPp4FR/hQVcTfd2hxA8/g4HNOj8s6D/8ViNBo75TrL/6mXlwo+iuB6bvxU -jzZNOj4qvTPqw8FDLsmkbWPRVo2DL5DAq0b5WVKAGrKwtARskVAG6B3ZOWltwGdH -FUejTEpRC3LwlBas2nADli4H3192+b4ZDmgLJp585sQDVerNLUqqw+jJo4OTnGCV -uFRSq8I1AgMBAAECggEANFs6wcM1S0+qC8XZ7vb5nQDjfByzunLrkBN0O3JEJB/J -qn7JMixcyb7a61zIxR8QVHEGR3DC62jgyQOXusOOtjjAs0qwVtihnKVsKr1/WuGO -hMOobXjj0iAG5ZHeH+DrMxjVvo2rKdnExtdvFunY18xG7dhMD7Fam525THUTql4K -yxhT7X6MrfS1eFjbR6oAIGNjoNTwyyEjEm4yvHO3PnG2NeyIeu7zIO2k+GimAAXT -tN3AK30lmr3+35k6o+XQAhDE4/6msn6jBVSdLfK35ATFGwrojD0bCgALR4SUNEyd -i33nuNLGyeI7DPWbqmjyWQW9uWLFJD85We2HzqBZQQKBgQDIrJ4PLvYE75dFWnSa -lBr1HZbl/x5mP56MVEiwTabRbUsJoXKlX44lm9hwQaPbuoUAflb1ZtNKbyiRVsuN -Ft5RToU9PWXyFtc2eyLCJToxHI4MhsuGRAaEeic5+l12wdpRxl74eeXdKJK4P/iU -8wdhSxDG2ekkj6lyye5l5iwcBwKBgQDF0Pptcs+yPCz9FRqCmHT/I4QTK1VSD6mW -F2Yd2KEUa4aocIb+L56ghJfYR+enIe9hHmb0ulomJaLLTicZJk6ffDfaQpCFBiS7 -BirDqHX8zlnBHePrBzZPyA5EfGMLxlP4uUk4g28JMFBJaZTEXAnQLUH0mIm0o0YR -mbsaVo/Y4wKBgFsG8iuxAaf7hoLPJVV5GUFWyrxJnWCEO0csdEyE7MbS7NbRhU++ -qJwmtWc2Xz2svegbZxaqLe31vlEvLeYyGWaIV6gP0c6ezcDI2lt2x46/hS/pdSjS -cqJlRqXmC79y77VoZmwP31USsnshiYEHPLHFeza4YilTgWmwb5OJdTjBAoGBAJBC -0P7UhedjvyNqKoUnDdurWPxp07Ueuvw8YDpP61jq+a8JMUlaDQLe76XI+oWGV/6p -n0fGR0weklRV0Gmk6B2jB1BizuZUDqFd4/4ActtE2WvekoKqJc+VA+KqG8lQf5iZ -924BXA6Fb2e6WcXBoV5yQvFP9M0JbWYUiMCydAElAoGBAKof78r8POfTPq9fQA9I -0zsQGnxqnSqyIu5yobM3GyXHBPOKdevlxyXxuMnGTr7upSNZrDrrA+f5Czlu7Fas -qdt/5PmqYQjRsVoHNQFatUzHWwx2vU2Pr1jBpZFBpnjnLwn3A35+UEWn13nCjkla -TrDniEcyId4ya5cMLDnM7Zgw ------END PRIVATE KEY----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json deleted file mode 100644 index 5fb57b4b6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP", - "check":[ - { - "id" : "clamp-health", - "name": "Clamp Health Check", - "http": "http://clamp:8080/restservices/clds/v1/clds/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "10s", - "timeout": "1s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json deleted file mode 100644 index f5ae467d74..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP - MariaDb", - "checks": [ - { - "id": "clamp-mariadb", - "name": "CLAMP Mariadb Health Check", - "script": "/consul/scripts/clamp-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json deleted file mode 100644 index 81e55cb871..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: ONAP CLI", - "checks": [ - { - "id": "cli", - "name": "CLI Health Check", - "http": "http://cli.{{include "common.namespace" .}}:8080", - "method": "GET", - "interval": "3600s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json b/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json deleted file mode 100644 index 6e580579e1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Elastic Search", - "checks": [ - { - "id": "log-elasticsearch-server", - "name": "Log Elastic Search Health Check", - "http": "http://log-es:9200/_cluster/health?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-elasticsearch-tcp", - "name": "Log Elastic Search TCP Health Check", - "tcp": "log-es-tcp:9300", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json b/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json deleted file mode 100644 index 6bca63f7bf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Kibana", - "checks": [ - { - "id": "log-kibana-server", - "name": "Log kibana Health Check", - "http": "http://log-kibana:5601/status", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json b/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json deleted file mode 100644 index ea32ecfe2a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Log Stash", - "checks": [ - { - "id": "log-logstash-internal-server-gi", - "name": "Log Stash Health Check - General Information", - "http": "http://log-ls-http:9600/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-info", - "name": "Log Stash Health Check - Node Information", - "http": "http://log-ls-http:9600/_node/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-info", - "name": "Log Stash Health Check - OS Information", - "http": "http://log-ls-http:9600/_node/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-info", - "name": "Log Stash Health Check - JVM Information", - "http": "http://log-ls-http:9600/_node/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-plugin-info", - "name": "Log Stash Health Check - Plugin Information", - "http": "http://log-ls-http:9600/_node/plugins?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-stat", - "name": "Log Stash Health Check - Node Stats", - "http": "http://log-ls-http:9600/_node/stats?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-stat", - "name": "Log Stash Health Check - JVM Stats", - "http": "http://log-ls-http:9600/_node/stats/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-process-stat", - "name": "Log Stash Health Check - Process Stats", - "http": "http://log-ls-http:9600/_node/stats/process?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-stat", - "name": "Log Stash Health Check - OS Stats", - "http": "http://log-ls-http:9600/_node/stats/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-tcp", - "name": "Log Stash File Beat TCP Health Check", - "tcp": "log-ls:5044", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties b/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties deleted file mode 100644 index aae18b1e98..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Model Loader Distribution Client Configuration -ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -ml.distribution.ASDC_ADDRESS=c2.vm1.sdc.simpledemo.openecomp.org:8443 -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml -ml.distribution.ENVIRONMENT_NAME=AUTO -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE=asdc-client.jks -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -ml.distribution.POLLING_INTERVAL=30 -ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai -ml.distribution.ARTIFACT_TYPES=MODEL_INVENTORY_PROFILE,MODEL_QUERY_SPEC,VNF_CATALOG - -# Model Loader AAI REST Client Configuration -ml.aai.BASE_URL=https://c1.vm1.aai.simpledemo.openecomp.org:8443 -ml.aai.MODEL_URL=/aai/v10/service-design-and-creation/models/model/ -ml.aai.NAMED_QUERY_URL=/aai/v10/service-design-and-creation/named-queries/named-query/ -ml.aai.VNF_IMAGE_URL=/aai/v8/service-design-and-creation/vnf-images -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -ml.aai.AUTH_USER=ModelLoader -ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw diff --git a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json b/kubernetes/consul/resources/config/consul-agent-config/mr-health.json deleted file mode 100644 index d8c056f006..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: DMaaP", - "checks":[ - { - "id": "dmaap", - "name": "Health Check: Message Router", - "http": "http://message-router:3904/topics", - "tls_skip_verify": true, - "interval": "30s", - "timeout": "1s" - }, - { - "id": "mr-zookeeper", - "name": "Health Check: Message Router - ZooKeeper", - "script": "/consul/scripts/mr-zookeeper-health.sh", - "interval": "10s", - "timeout": "5s" - }, - { - "id": "mr-kafka", - "name": "Health Check: Message Router - Kafka", - "script": "/consul/scripts/mr-kafka-health.sh", - "interval": "30s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json b/kubernetes/consul/resources/config/consul-agent-config/msb-health.json deleted file mode 100644 index ad4e422be1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "service": { - "name": "Health Check: MSB", - "checks": [ - { - "id": "msb-eag", - "name": "MSB eag Health Check", - "http": "http://msb-eag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-iag", - "name": "MSB iag Health Check", - "http": "http://msb-iag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-consul", - "name": "MSB consul Health Check", - "tcp": "msb-consul:8500", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-discovery", - "name": "MSB discovery Health Check", - "tcp": "msb-discovery:10081", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json deleted file mode 100644 index f6e48fac6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "service": { - "name": "Health Check: MULTICLOUD", - "checks": [ - { - "id": "framework", - "name": "Framework Health Check", - "http": "http://framework:9001/api/multicloud/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-pike", - "name": "Multicloud Pike Health Check", - "http": "http://multicloud-pike:9007/api/multicloud-pike/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-starlingx", - "name": "Multicloud Starlingx Health Check", - "http": "http://multicloud-starlingx:9009/api/multicloud-starlingx/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-vio", - "name": "Multicloud Vio Health Check", - "http": "http://multicloud-vio:9004/api/multicloud-vio/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-windriver", - "name": "Multicloud Windriver Health Check", - "http": "http://multicloud-windriver:9005/api/multicloud-titaniumcloud/v1/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json b/kubernetes/consul/resources/config/consul-agent-config/policy-health.json deleted file mode 100644 index 9cad9dc1d5..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "service": { - "name": "Health Check: Policy", - "checks": [ - { - "id": "Policy-mariadb-healthcheck", - "name": "Policy Mariadb Health Check", - "script": "/consul/scripts/policy-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "policy-nexus-local-status", - "name": "Policy Nexus Local Status", - "http": "http://nexus:8081/nexus/service/local/status", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-metrics", - "name": "Policy Nexus Internal Metrics", - "http": "http://nexus:8081/nexus/internal/metrics", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-healthcheck", - "name": "Policy Nexus Internal Healthcheck", - "http": "http://nexus:8081/nexus/internal/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "brmsgw-tcp", - "name": "BRMSGW Health Check", - "tcp": "brmsgw:9989", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "drools", - "name": "Drools Health Check", - "http": "https://drools:6969/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pap", - "name": "PAP Health Check", - "http": "https://pap:9091/pap/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBhcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pdp", - "name": "PDP Health Check", - "http": "https://pdp:8081/pdp/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBkcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt deleted file mode 100644 index a6e084cfea..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt +++ /dev/null @@ -1,9 +0,0 @@ -{ - "vnfId" : "testwrite", - "device" : "10.198.1.31", - "timestamp" : "2017-08-23T19:13:56Z", - "jdmTotalMem" : "2097152", - "jdmAvailableMem" : "1877272", - "jdmUserCpu" : "16", - "jdmSystemCpu" : "3" -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh deleted file mode 100755 index 91223f527e..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -if curl -s -X PUT http://aai-elasticsearch:9200/searchhealth/stats/testwrite -d @/consul/scripts/aai-search-storage-write-doc.txt | grep '\"created\":true'; then - if curl -s -X DELETE http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"failed\":0'; then - if curl -s -X GET http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"found\":false'; then - echo Successful PUT, DELETE, GET from Search Document Storage 2>&1 - exit 0 - else - echo Failed GET from Search Document Storage 2>&1 - exit 1 - fi - else - echo Failed DELETE from Search Document Storage 2>&1 - exit 1 - fi -else - echo Failed PUT from Search Document Storage 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh deleted file mode 100755 index 96e4864514..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -APPC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "appc-dbhost-[^[:space:]]*") -if [ -n "$APPC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $APPC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. APPC DBHost is running. 2>&1 - exit 0 - else - echo Failed. APPC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. APPC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh deleted file mode 100644 index 1b721b363c..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-clampdb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. CLAMP DBHost is running. 2>&1 - exit 0 - else - echo Failed. CLAMP DBHost is not running. 2>&1 - exit 1 - fi - else - echo Failed. CLAMP DBHost is offline. 2>&1 - exit 1 - fi - diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh deleted file mode 100755 index 2e0078c72f..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-data-router[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'data-router' > /dev/null; then - - echo Success. Synapse process is running. 2>&1 - exit 0 - else - echo Failed. Synapse process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Synapse container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh deleted file mode 100755 index e049402578..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-model-loader[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'model-loader' > /dev/null; then - - echo Success. Model Loader process is running. 2>&1 - exit 0 - else - echo Failed. Model Loader process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Model Loader container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh deleted file mode 100755 index 816a0103f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -kafkapod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-kafka-[^[:space:]]*") -if [ -n "$kafkapod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $kafkapod -- ps ef | grep -i kafka; then - echo Success. Kafka process is running. 2>&1 - exit 0 - else - echo Failed. Kafka is not running. 2>&1 - exit 1 - fi -else - echo Failed. Kafka container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh deleted file mode 100755 index debcfd1868..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -zkpod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-zookeeper-[^[:space:]]*") -if [ -n "$zkpod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $zkpod -- ps aux | grep -i zookeeper; then - echo Success. Zookeeper process is running. 2>&1 - exit 0 - else - echo Failed. Zookeeper is not running. 2>&1 - exit 1 - fi -else - echo Failed. Zookeeper container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh deleted file mode 100644 index 865d477b7d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-policydb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh deleted file mode 100755 index c362ffed34..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component BE) and check to see if -## the BE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "BE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh deleted file mode 100755 index 18b5b9d4bd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component CASSANDRA) and check to see if -## the CASSANDRA component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "CASSANDRA" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh deleted file mode 100755 index 21a2b80a3d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component FE) and check to see if -## the FE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "FE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh deleted file mode 100755 index fad3ddb293..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component TITAN) and check to see if -## the TITAN component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "TITAN" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh deleted file mode 100755 index ed7aefc0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 Amdocs -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# query ODL cluster state -USERNAME="{{.Values.odl.jolokia.username}}" -PASSWORD="{{.Values.odl.jolokia.password}}" - -count=${SDNC_ODL_COUNT:-1} -siteId=0 -if [ "$SDNC_IS_PRIMARY_CLUSTER" = "false" ];then - siteId=1 -fi - -for instance in $(seq $count);do - shard=member-$(( $siteId*$count + $instance ))-shard-default-config - mbean=Category=Shards,name=$shard,type=DistributedConfigDatastore - url=http://{{ include "common.release" . }}-sdnc-$(( $instance-1 )).sdnc-cluster.{{.Release.Namespace}}:8181/jolokia/read/org.opendaylight.controller:$mbean - - response=$( curl -s -u $USERNAME:$PASSWORD $url ) - rc=$? - if [ $rc -ne 0 ];then - # failed to contact SDN-C instance - try another - echo "Unable to connect to $shard [rc=$?]" - continue - fi - - status=$( echo "$response" | jq -r ".status" ) - if [ "$status" != "200" ];then - # query failed, try another instance - echo "$shard query failed [http-status=$status]" - continue - fi - - raftState=$( echo "$response" | jq -r ".value.RaftState" ) - if [ "$raftState" = "Leader" -o "$raftState" = "Follower" ];then - # cluster has a leader and is healthy - echo "$shard is healthy [RaftState=$raftState]" - exit 0 - else - echo "$shard is not healthy [RaftState=$raftState]" - fi -done - -# ODL cluster is not healthy -exit 2 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh deleted file mode 100755 index c0fbcfbbe3..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SDNC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "sdnc-dbhost-[^[:space:]]*") -if [ -n "$SDNC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $SDNC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. SDNC DBHost is running. 2>&1 - exit 0 - else - echo Failed. SDNC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. SDNC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh deleted file mode 100644 index 68ab27dbc9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SEARCH_SERVICE_NAME="search-data-service.{{ include "common.namespace" . }}" -SEARCH_SERVICE_PORT=9509 -HEALTH_CHECK_INDEX="healthcheck" - -# 'Document Index' REST Endpoint -INDEX_URL="https://$SEARCH_SERVICE_NAME:$SEARCH_SERVICE_PORT/services/search-data-service/v1/search/indexes/$HEALTH_CHECK_INDEX" -INDEX_SCHEMA="{\"fields\":[{\"name\": \"field1\", \"data-type\": \"string\"}]}" - -SEARCH_CERT_FILE="/consul/certs/client-cert-onap.crt.pem" -SEARCH_KEY_FILE="/consul/certs/client-cert-onap.key.pem" - -## Try to create an index via the Search Data Service API. -CREATE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "$INDEX_SCHEMA" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X PUT $INDEX_URL) - -RESULT_STRING=" " - -if [ $CREATE_INDEX_RESP -eq 201 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -elif [ $CREATE_INDEX_RESP -eq 400 ]; then - # A 400 response could mean that the index already exists (ie: we didn't - # clean up after ourselves on a previous check), so log the response but - # don't exit yet. If we fail on the delete then we can consider the - # check a failure, otherwise, we are good. - RESULT_STRING="$RESULT_STRING Create Index [FAIL - 400 (possible index already exists)] " -else - RESULT_STRING="Service API Failure - $CREATE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -## Now, clean up after ourselves. -DELETE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "{ }" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X DELETE $INDEX_URL) - -if [ $DELETE_INDEX_RESP -eq 200 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -else - RESULT_STRING="Service API Failure - $DELETE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -echo $RESULT_STRING -return 0 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh deleted file mode 100755 index e0acea7ce9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/ecomp/mso/infra/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh deleted file mode 100755 index 2ef5f8c4dd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/mso/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh deleted file mode 100755 index deee34c001..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/networks/rest/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh deleted file mode 100755 index a0974c0a45..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-so-db[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh deleted file mode 100755 index 19134cfa76..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-sparky-be[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'sparky' > /dev/null; then - - echo Success. UI Backend Service process is running. 2>&1 - exit 0 - else - echo Failed. UI Backend Service process is not running. 2>&1 - exit 1 - fi -else - echo Failed. UI Backend Service container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh deleted file mode 100755 index 7b0bc246f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-vid-mariadb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json deleted file mode 100644 index 105635b592..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "service": { - "name": "Health Check: SDC", - "checks": [ - { - "id": "sdc-fe-healthcheck", - "name": "SDC Front End Health Check", - "script": "/consul/scripts/sdc-fe-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-be-healthcheck", - "name": "SDC Back End Health Check", - "script": "/consul/scripts/sdc-be-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-titan-healthcheck", - "name": "SDC Titan Health Check", - "script": "/consul/scripts/sdc-titan-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-cs-healthcheck", - "name": "SDC Cassandra Health Check", - "script": "/consul/scripts/sdc-cs-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-catalog-healthcheck", - "name": "SDC Catalog Health Check", - "http": "https://sdc-be:8443/asdc/v1/catalog/services", - "header": { - "Authorization": ["Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU="], - "X-ECOMP-InstanceID": ["VID"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json deleted file mode 100644 index 86a7630392..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC ODL Cluster", - "checks": [ - { - "id": "sdnc-odl-cluster-healthcheck", - "name": "SDNC ODL Cluster Health Check", - "script": "/consul/scripts/sdnc-cluster-health.sh", - "interval": "15s", - "timeout": "10s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json deleted file mode 100644 index ea0ae562e9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DB Host", - "checks": [ - { - "id": "sdnc-dbhost-healthcheck", - "name": "SDNC DBHOST Health Check", - "script": "/consul/scripts/sdnc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json deleted file mode 100644 index 72e6be9093..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DGBuilder", - "checks": [ - { - "id": "sdnc-dgbuilder", - "name": "SDNC-DGbuilder Health Check", - "http": "http://sdnc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json deleted file mode 100644 index 5f42835cf7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC", - "checks": [ - { - "id": "odl-api-healthcheck", - "name": "SDNC API Health Check", - "http": "http://sdnc:8282/restconf/operations/SLI-API:healthcheck", - "method": "POST", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json deleted file mode 100644 index ed196bd0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-01", - "checks": [ - { - "id": "sdnctldb01", - "name": "SDNC SDNCTLDB01 Health Check", - "tcp": "sdnc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json deleted file mode 100644 index b63329f544..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-02", - "checks": [ - { - "id": "sdnctldb02", - "name": "SDNC SDNCTLDB02 Health Check", - "tcp": "sdnc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json deleted file mode 100644 index db84164fc7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - SDN Host", - "checks": [ - { - "id": "sdnc-sdnhost", - "name": "SDNC SDN Host Health Check", - "http": "http://sdnc:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-health.json b/kubernetes/consul/resources/config/consul-agent-config/so-health.json deleted file mode 100644 index 565c4a4a7a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-health.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "service": { - "name": "Health Check: SO", - "checks": [ - { - "id": "so-api-healthcheck", - "name": "SO API Health Check", - "script": "/consul/scripts/so-api-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-camunda-healthcheck", - "name": "SO Camunda Health Check", - "script": "/consul/scripts/so-camunda-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-jra-healthcheck", - "name": "SO JRA Health Check", - "script": "/consul/scripts/so-jra-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json b/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json deleted file mode 100644 index fb554208e4..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: SO - MariaDb", - "checks": [ - { - "id": "so-mariadb", - "name": "SO Mariadb Health Check", - "script": "/consul/scripts/so-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json b/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json deleted file mode 100644 index 3661ac708b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "service": { - "name": "Health Check: VFC", - "checks": [ - { - "id": "vfc-catalog", - "name": "VFC catalog Health Check", - "tcp": "vfc-catalog:8806", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-emsdriver", - "name": "VFC emsdriver Health Check", - "tcp": "vfc-ems-driver:8206", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-gvnfmdriver", - "name": "VFC gvnfmdriver Health Check", - "tcp": "vfc-generic-vnfm-driver:8484", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-hwvnfmdriver", - "name": "VFC hwvnfmdriver Health Check", - "tcp": "vfc-huawei-vnfm-driver:8482", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-jujudriver", - "name": "VFC jujudriver Health Check", - "tcp": "vfc-juju-vnfm-driver:8483", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiavnfmdriver", - "name": "VFC nokiavnfmdriver Health Check", - "tcp": "vfc-nokia-vnfm-driver:8486", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiav2vnfmdriver", - "name": "VFC nokiav2vnfmdriver Health Check", - "tcp": "vfc-nokia-v2vnfm-driver:8089", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nslcm", - "name": "VFC nslcm Health Check", - "tcp": "vfc-nslcm:8403", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-resmgr", - "name": "VFC resmgr Health Check", - "tcp": "vfc-resmgr:8480", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnflcm", - "name": "VFC vnflcm Health Check", - "tcp": "vfc-vnflcm:8801", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfmgr", - "name": "VFC vnfmgr Health Check", - "tcp": "vfc-vnfmgr:8803", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfres", - "name": "VFC vnfres Health Check", - "tcp": "vfc-vnfres:8802", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflow", - "name": "VFC workflow Health Check", - "tcp": "vfc-workflow:10550", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflowengineactiviti", - "name": "VFC workflow-engine Health Check", - "tcp": "vfc-workflow-engine:8080", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztesdncdriver", - "name": "VFC ztesdncdriver Health Check", - "tcp": "vfc-zte-sdnc-driver:8411", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztevnfmdriver", - "name": "VFC ztevnfmdriver Health Check", - "tcp": "vfc-zte-vnfm-driver:8410", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json b/kubernetes/consul/resources/config/consul-agent-config/vid-health.json deleted file mode 100644 index d6d8d4c03d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: VID", - "checks": [ - { - "id": "vid-server", - "name": "VID Server Health Check", - "http": "http://vid:8080/vid/healthCheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vid-mariadb", - "name": "Vid Mariadb Health Check", - "script": "/consul/scripts/vid-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/templates/configmap.yaml b/kubernetes/consul/templates/configmap.yaml deleted file mode 100644 index 42c8cba6b4..0000000000 --- a/kubernetes/consul/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-scripts-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml deleted file mode 100644 index c5d12a4693..0000000000 --- a/kubernetes/consul/templates/deployment.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-chown - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} - command: - - sh - args: - - -c - - | - cp -r -L /tmp/consul/config/* /consul/config/ - chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config - ls -la /consul/config - volumeMounts: - - mountPath: /tmp/consul/config - name: consul-agent-config - - mountPath: /consul/config - name: consul-agent-config-dir - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: - - docker-entrypoint.sh - args: - - agent - - -client - - 0.0.0.0 - - -enable-script-checks - - -retry-join - - {{ .Values.consulServer.nameOverride }} - name: {{ include "common.name" . }} - env: - - name: SDNC_ODL_COUNT - value: "{{ .Values.sdnc.replicaCount }}" - - name: SDNC_IS_PRIMARY_CLUSTER - value: "{{ .Values.sdnc.config.isPrimaryCluster }}" - volumeMounts: - - mountPath: /consul/config - name: consul-agent-config-dir - - mountPath: /consul/scripts - name: consul-agent-scripts-config - - mountPath: /consul/certs - name: consul-agent-certs-config - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: consul-agent-config-dir - emptyDir: {} - - configMap: - name: {{ include "common.fullname" . }}-configmap - name: consul-agent-config - - configMap: - name: {{ include "common.fullname" . }}-scripts-configmap - defaultMode: 0755 - name: consul-agent-scripts-config - - secret: - secretName: {{ include "common.fullname" . }}-certs-secret - name: consul-agent-certs-config diff --git a/kubernetes/consul/templates/ingress.yaml b/kubernetes/consul/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/consul/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/consul/templates/secrets.yaml b/kubernetes/consul/templates/secrets.yaml deleted file mode 100644 index 27cfbf00d0..0000000000 --- a/kubernetes/consul/templates/secrets.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml deleted file mode 100644 index 9036606377..0000000000 --- a/kubernetes/consul/values.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - busyboxRepository: registry.hub.docker.com - busyboxImage: library/busybox:latest - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -#subchart name -consulServer: - nameOverride: consul-server - -consulUID: 100 -consulGID: 1000 - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 90 - periodSeconds: 10 - -service: {} - -ingress: - enabled: false - service: - - baseaddr: "consul-api" - name: "consul-server" - port: 8800 - config: - ssl: "none" - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 1 - memory: 1500Mi - requests: - cpu: 650m - memory: 530Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -odl: - jolokia: - username: admin - password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - -sdnc: - config: - isPrimaryCluster: true - replicaCount: 1 - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul - roles: - - read diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore deleted file mode 100644 index 7020381894..0000000000 --- a/kubernetes/contrib/.gitignore +++ /dev/null @@ -1 +0,0 @@ -components/dist diff --git a/kubernetes/contrib/.helmignore b/kubernetes/contrib/.helmignore deleted file mode 100644 index 68ffb32406..0000000000 --- a/kubernetes/contrib/.helmignore +++ /dev/null @@ -1 +0,0 @@ -components/ diff --git a/kubernetes/contrib/Chart.yaml b/kubernetes/contrib/Chart.yaml deleted file mode 100755 index b8e3f69c0e..0000000000 --- a/kubernetes/contrib/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright © 2017 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP optional tools -name: contrib -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: awx - version: ~12.x-0 - repository: 'file://components/awx' - condition: awx.enabled - - name: ejbca - version: ~12.x-0 - repository: 'file://components/ejbca' - condition: global.cmpv2Enabled - - name: netbox - version: ~12.x-0 - repository: 'file://components/netbox' - condition: netbox.enabled - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/Makefile b/kubernetes/contrib/Makefile deleted file mode 100644 index c3bbfa57b9..0000000000 --- a/kubernetes/contrib/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dns-server-for-vhost-ingress-testing ingress-nginx-post-inst metallb-loadbalancer-inst tools -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/Makefile b/kubernetes/contrib/components/Makefile deleted file mode 100644 index 9544d70f33..0000000000 --- a/kubernetes/contrib/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/Chart.yaml b/kubernetes/contrib/components/awx/Chart.yaml deleted file mode 100755 index 38689dee53..0000000000 --- a/kubernetes/contrib/components/awx/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX -name: awx -sources: - - https://github.com/ansible/awx -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: awx-postgres - version: ~12.x-0 - repository: 'file://components/awx-postgres' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/Makefile b/kubernetes/contrib/components/awx/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/contrib/components/awx/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/Makefile b/kubernetes/contrib/components/awx/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/contrib/components/awx/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml deleted file mode 100755 index 7d6045642f..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX database -name: awx-postgres -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt b/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt deleted file mode 100755 index 3ab092e848..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml deleted file mode 100755 index 3b4dad55ec..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - exec: - command: - - /bin/sh - - -i - - -c - - psql -h 127.0.0.1 -U $POSTGRES_USER -q -d {{ .Values.config.postgresDB }} - -c 'SELECT 1' - initialDelaySeconds: 5 - timeoutSeconds: 1 - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml deleted file mode 100755 index bfe63abafe..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml deleted file mode 100755 index e12dabf175..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml deleted file mode 100755 index f560417425..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml deleted file mode 100755 index a6dc5ff90a..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - type: ClusterIP - name: awx-postgresql - portName: tcp-postgresql - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx-postgres - roles: - - read diff --git a/kubernetes/contrib/components/awx/resources/config/credentials.py b/kubernetes/contrib/components/awx/resources/config/credentials.py deleted file mode 100644 index 85808d10d4..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/credentials.py +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASES = { - 'default': { - 'ATOMIC_REQUESTS': True, - 'ENGINE': 'awx.main.db.profiled_pg', - 'NAME': "{{ .Values.config.postgresDB }}", - 'USER': "{{ .Values.config.postgresUser }}", - 'PASSWORD': "{{ .Values.config.postgresPassword }}", - 'HOST': "awx-postgresql", - 'PORT': "5432", - } -} -BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( - "{{ .Values.config.rabbitmqUser }}", - "{{ .Values.config.rabbitmqPassword }}", - "localhost", - "5672", - "{{ .Values.config.rabbitmqVhost }}") -CHANNEL_LAYERS = { - 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', - 'ROUTING': 'awx.main.routing.channel_routing', - 'CONFIG': {'url': BROKER_URL}} -} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/resources/config/environment.sh b/kubernetes/contrib/components/awx/resources/config/environment.sh deleted file mode 100644 index cbfe2857ba..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/environment.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASE_USER={{ .Values.config.postgresUser }} -DATABASE_NAME={{ .Values.config.postgresDB }} -DATABASE_HOST=awx-postgresql -DATABASE_PORT=5432 -DATABASE_PASSWORD={{ .Values.config.postgresPassword }} -MEMCACHED_HOST=localhost -RABBITMQ_HOST=localhost -AWX_ADMIN_USER={{ .Values.config.awxAdminUser }} -AWX_ADMIN_PASSWORD={{ .Values.config.awxAdminPassword }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/configmap.yaml b/kubernetes/contrib/components/awx/templates/configmap.yaml deleted file mode 100644 index 59900f1c64..0000000000 --- a/kubernetes/contrib/components/awx/templates/configmap.yaml +++ /dev/null @@ -1,238 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-init-mgnt - namespace: {{ include "common.namespace" . }} -data: - entrypoint: | - #/bin/sh - - awx-manage migrate --noinput - if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]] - then - echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell - awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}' - fi ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-settings - namespace: {{ include "common.namespace" . }} -data: - awx_settings: | - import os - import socket - ADMINS = () - - AWX_PROOT_ENABLED = True - - # Automatically deprovision pods that go offline - AWX_AUTO_DEPROVISION_INSTANCES = True - - SYSTEM_TASK_ABS_CPU = 6 - SYSTEM_TASK_ABS_MEM = 20 - - INSIGHTS_URL_BASE = "https://example.org" - - #Autoprovisioning should replace this - CLUSTER_HOST_ID = socket.gethostname() - SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' - - SESSION_COOKIE_SECURE = False - CSRF_COOKIE_SECURE = False - - REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR'] - - STATIC_ROOT = '/var/lib/awx/public/static' - PROJECTS_ROOT = '/var/lib/awx/projects' - JOBOUTPUT_ROOT = '/var/lib/awx/job_status' - SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip() - ALLOWED_HOSTS = ['*'] - INTERNAL_API_URL = 'http://127.0.0.1:8052' - SERVER_EMAIL = 'root@localhost' - DEFAULT_FROM_EMAIL = 'webmaster@localhost' - EMAIL_SUBJECT_PREFIX = '[AWX] ' - EMAIL_HOST = 'localhost' - EMAIL_PORT = 25 - EMAIL_HOST_USER = '' - EMAIL_HOST_PASSWORD = '' - EMAIL_USE_TLS = False - - LOGGING['handlers']['console'] = { - '()': 'logging.StreamHandler', - 'level': 'DEBUG', - 'formatter': 'simple', - } - - LOGGING['loggers']['django.request']['handlers'] = ['console'] - LOGGING['loggers']['rest_framework.request']['handlers'] = ['console'] - LOGGING['loggers']['awx']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console'] - LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] - LOGGING['loggers']['social']['handlers'] = ['console'] - LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console'] - LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] - LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] - LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'} - - CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'LOCATION': '{}:{}'.format("localhost", "11211") - }, - 'ephemeral': { - 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', - }, - } - - USE_X_FORWARDED_PORT = True ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} -data: - enabled_plugins: | - [rabbitmq_management,rabbitmq_peer_discovery_k8s]. - rabbitmq.conf: | - ## Clustering - management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json - cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s - cluster_formation.k8s.host = kubernetes.default.svc - cluster_formation.k8s.address_type = ip - cluster_formation.node_cleanup.interval = 10 - cluster_formation.node_cleanup.only_log_warning = false - cluster_partition_handling = autoheal - ## queue master locator - queue_master_locator=min-masters - ## enable guest user - loopback_users.guest = false - rabbitmq_definitions.json: | - { - "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}], - "permissions":[ - {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"} - ], - "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}], - "policies":[ - {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}} - ] - } ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx-conf - namespace: {{ include "common.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - helm.sh/chart: {{ include "common.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - nginx.conf: | - worker_processes 1; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /dev/stdout main; - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - sendfile on; - #tcp_nopush on; - #gzip on; - upstream uwsgi { - server 127.0.0.1:8050; - } - upstream daphne { - server 127.0.0.1:8051; - } - server { - listen 8052 default_server; - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) - add_header X-Frame-Options "DENY"; - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - location /static/ { - alias /var/lib/awx/public/static/; - } - location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - location / { - # Add trailing / if missing - rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - proxy_set_header X-Forwarded-Port 443; - } - } - } diff --git a/kubernetes/contrib/components/awx/templates/job.yaml b/kubernetes/contrib/components/awx/templates/job.yaml deleted file mode 100644 index 1ebe340a68..0000000000 --- a/kubernetes/contrib/components/awx/templates/job.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-mgnt - release: {{ include "common.release" . }} - spec: - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - awx-postgres - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-mgnt - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /etc/tower/job-entrypoint.sh - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/job-entrypoint.sh - name: awx-mgnt - readOnly: true - subPath: job-entrypoint.py - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: - - configMap: - defaultMode: 0777 - items: - - key: entrypoint - path: job-entrypoint.py - name: {{ include "common.fullname" . }}-init-mgnt - name: awx-mgnt - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/templates/secret.yaml b/kubernetes/contrib/components/awx/templates/secret.yaml deleted file mode 100644 index 642f779214..0000000000 --- a/kubernetes/contrib/components/awx/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ include "common.fullname" . }}-secrets - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - credentials_py: {{ tpl (.Files.Get "resources/config/credentials.py") . | b64enc }} - environment_sh: {{ tpl (.Files.Get "resources/config/environment.sh") . | b64enc }} - rabbitmq_erlang_cookie: {{ .Values.config.rabbitmqErlangCookie | b64enc | quote }} - secret_key: {{ .Values.config.secretKey | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/service.yaml b/kubernetes/contrib/components/awx/templates/service.yaml deleted file mode 100755 index 85ec8c8428..0000000000 --- a/kubernetes/contrib/components/awx/templates/service.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rmq-mgmt - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.rmqmgmt.type }} - ports: - - port: {{ .Values.service.rmqmgmt.externalPort }} - targetPort: {{ .Values.service.rmqmgmt.internalPort }} - name: {{ .Values.service.rmqmgmt.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-web - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.web.type }} - ports: - - port: {{ .Values.service.web.externalPort }} - targetPort: {{ .Values.service.web.internalPort }} - name: {{ .Values.service.web.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - type: LoadBalancer -spec: - type: {{ .Values.service.rabbitmq.type }} - ports: - - port: {{ .Values.service.rabbitmq.http.externalPort }} - targetPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - - port: {{ .Values.service.rabbitmq.amqp.externalPort }} - targetPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml b/kubernetes/contrib/components/awx/templates/serviceaccount.yaml deleted file mode 100644 index 15baf0e308..0000000000 --- a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -rules: -- apiGroups: ["", "extensions", "apps", "batch"] - resources: ["endpoints", "deployments", "pods", "replicasets/status", "jobs/status"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "common.fullname" . }}-endpoint-reader -subjects: -- kind: ServiceAccount - name: {{ include "common.fullname" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/templates/statefulset.yaml deleted file mode 100644 index 1f2c093742..0000000000 --- a/kubernetes/contrib/components/awx/templates/statefulset.yaml +++ /dev/null @@ -1,227 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - podManagementPolicy: OrderedReady - replicas: {{ .Values.replicaCount }} - serviceName: {{ include "common.fullname" . }} - selector: - matchLabels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - service: django - template: - metadata: - labels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - release: {{ include "common.release" . }} - service: django - spec: - - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }}-mgnt - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - containers: - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.web }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-web - ports: - - containerPort: {{ .Values.service.web.internalPort }} - protocol: TCP - resources: - requests: - cpu: 500m - memory: 1Gi - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - - command: ["/bin/sh","-c"] - args: ["/usr/bin/launch_awx_task.sh"] - env: - - name: AWX_SKIP_MIGRATIONS - value: "1" - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-celery - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - env: - - name: MY_POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: RABBITMQ_USE_LONGNAME - value: "true" - - name: RABBITMQ_NODENAME - value: rabbit@$(MY_POD_IP) - - name: RABBITMQ_ERLANG_COOKIE - valueFrom: - secretKeyRef: - key: rabbitmq_erlang_cookie - name: {{ include "common.fullname" . }}-secrets - - name: K8S_SERVICE_NAME - value: {{ include "common.servicename" . }}-rabbitmq - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-rabbit - livenessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - ports: - - containerPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - protocol: TCP - - containerPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - protocol: TCP - readinessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - resources: - requests: - cpu: 500m - memory: 2Gi - volumeMounts: - - mountPath: /etc/rabbitmq - name: rabbitmq-config - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-memcached - resources: - requests: - cpu: 500m - memory: 1Gi - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - volumes: - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - - configMap: - defaultMode: 420 - items: - - key: nginx.conf - path: nginx.conf - name: {{ include "common.fullname" . }}-nginx-conf - name: awx-nginx-conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml deleted file mode 100755 index c30999fa6d..0000000000 --- a/kubernetes/contrib/components/awx/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - commonConfigPrefix: awx - persistence: {} - -# application image -image: - web: ansible/awx_web:9.0.1 - task: ansible/awx_task:9.0.1 - rabbitmq: ansible/awx_rabbitmq:3.7.4 - memcached: memcached:1.5.20 -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx -# RabbitMQ Configuration - rabbitmqUser: awx - rabbitmqPassword: awxpass - rabbitmqVhost: awx - rabbitmqErlangCookie: cookiemonster3 -# This will create or update a default admin (superuser) account in AWX, if not provided -# then these default values are used - awxAdminUser: admin - awxAdminPassword: password - awxAdminEmail: cds@onap.org -# AWX Secret key -# It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt -# your credentials - secretKey: awxsecret - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - enabled: true - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 5Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - rmqmgmt: - type: ClusterIP - portName: http-rmqmgmt - internalPort: 15672 - externalPort: 15672 - web: - type: ClusterIP - portName: http-web - internalPort: 8052 - externalPort: 8052 - rabbitmq: - type: ClusterIP - http: - portName: http-rmq - internalPort: 15672 - externalPort: 15672 - amqp: - portName: tcp-amqp - internalPort: 5672 - externalPort: 5672 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx - roles: - - read - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-mgnt' diff --git a/kubernetes/contrib/components/ejbca/Chart.yaml b/kubernetes/contrib/components/ejbca/Chart.yaml deleted file mode 100644 index e8a0134298..0000000000 --- a/kubernetes/contrib/components/ejbca/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2020 Nokia -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP EJBCA test server -name: ejbca -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: cmpv2Config - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml b/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml deleted file mode 100644 index e163aed82a..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml +++ /dev/null @@ -1,595 +0,0 @@ - - - - - version - 46.0 - - - type - 1 - - - certversion - X509v3 - - - encodedvalidity - 2y - - - usecertificatevalidityoffset - false - - - certificatevalidityoffset - -10m - - - useexpirationrestrictionforweekdays - false - - - expirationrestrictionforweekdaysbefore - true - - - expirationrestrictionweekdays - - - true - - - true - - - false - - - false - - - false - - - true - - - true - - - - - allowvalidityoverride - false - - - allowextensionoverride - false - - - allowdnoverride - false - - - allowdnoverridebyeei - false - - - allowbackdatedrevokation - false - - - usecertificatestorage - true - - - storecertificatedata - true - - - storesubjectaltname - true - - - usebasicconstrants - true - - - basicconstraintscritical - true - - - usesubjectkeyidentifier - true - - - subjectkeyidentifiercritical - false - - - useauthoritykeyidentifier - true - - - authoritykeyidentifiercritical - false - - - usesubjectalternativename - true - - - subjectalternativenamecritical - false - - - useissueralternativename - true - - - issueralternativenamecritical - false - - - usecrldistributionpoint - false - - - usedefaultcrldistributionpoint - false - - - crldistributionpointcritical - false - - - crldistributionpointuri - - - - usefreshestcrl - false - - - usecadefinedfreshestcrl - false - - - freshestcrluri - - - - crlissuer - - - - usecertificatepolicies - false - - - certificatepoliciescritical - false - - - certificatepolicies - - - - availablekeyalgorithms - - - DSA - - - ECDSA - - - RSA - - - - - availableeccurves - - - ANY_EC_CURVE - - - - - availablebitlengths - - - 0 - - - 192 - - - 224 - - - 239 - - - 256 - - - 384 - - - 512 - - - 521 - - - 1024 - - - 1536 - - - 2048 - - - 3072 - - - 4096 - - - 6144 - - - 8192 - - - - - minimumavailablebitlength - 0 - - - maximumavailablebitlength - 8192 - - - signaturealgorithm - - - - usekeyusage - true - - - keyusage - - - true - - - true - - - true - - - false - - - false - - - false - - - false - - - false - - - false - - - - - allowkeyusageoverride - false - - - keyusagecritical - true - - - useextendedkeyusage - true - - - extendedkeyusage - - - 1.3.6.1.5.5.7.3.2 - - - 1.3.6.1.5.5.7.3.4 - - - 1.3.6.1.5.5.7.3.1 - - - - - extendedkeyusagecritical - false - - - usedocumenttypelist - false - - - documenttypelistcritical - false - - - documenttypelist - - - - availablecas - - - -1 - - - - - usedpublishers - - - - useocspnocheck - false - - - useldapdnorder - true - - - usecustomdnorder - false - - - usemicrosofttemplate - false - - - microsofttemplate - - - - usecardnumber - false - - - usecnpostfix - false - - - cnpostfix - - - - usesubjectdnsubset - false - - - subjectdnsubset - - - - usesubjectaltnamesubset - false - - - subjectaltnamesubset - - - - usepathlengthconstraint - false - - - pathlengthconstraint - 0 - - - useqcstatement - false - - - usepkixqcsyntaxv2 - false - - - useqcstatementcritical - false - - - useqcstatementraname - - - - useqcsematicsid - - - - useqcetsiqccompliance - false - - - useqcetsisignaturedevice - false - - - useqcetsivaluelimit - false - - - qcetsivaluelimit - 0 - - - qcetsivaluelimitexp - 0 - - - qcetsivaluelimitcurrency - - - - useqcetsiretentionperiod - false - - - qcetsiretentionperiod - 0 - - - useqccustomstring - false - - - qccustomstringoid - - - - qccustomstringtext - - - - qcetsipds - - - - qcetsitype - - - - usecertificatetransparencyincerts - false - - - usecertificatetransparencyinocsp - false - - - usecertificatetransparencyinpublisher - false - - - usesubjectdirattributes - false - - - usenameconstraints - false - - - useauthorityinformationaccess - false - - - caissuers - - - - usedefaultcaissuer - false - - - usedefaultocspservicelocator - false - - - ocspservicelocatoruri - - - - cvcaccessrights - 3 - - - usedcertificateextensions - - - - approvals - - - - org.cesecore.certificates.ca.ApprovalRequestType - REVOCATION - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - KEYRECOVER - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - ADDEDITENDENTITY - - -1 - - - - - useprivkeyusageperiodnotbefore - false - - - useprivkeyusageperiod - false - - - useprivkeyusageperiodnotafter - false - - - privkeyusageperiodstartoffset - 0 - - - privkeyusageperiodlength - 63072000 - - - usesingleactivecertificateconstraint - false - - - overridableextensionoids - - - - nonoverridableextensionoids - - - - allowcertsnoverride - false - - - usecustomdnorderldap - false - - - diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh deleted file mode 100755 index a538238151..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh - -waitForEjbcaToStart() { - until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) - do - sleep 5 - done -} - -configureEjbca() { - ejbca.sh ca init \ - --caname ManagementCA \ - --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ - --tokenType soft \ - --keyspec 3072 \ - --keytype RSA \ - -v 3652 \ - --policy null \ - -s SHA256WithRSA \ - -type "x509" - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' - ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true - #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) - ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles - #Profile name taken from certprofile filename (certprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER - #ID taken from entityprofile filename (entityprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 - caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') - ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK} - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem - #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) - ejbca.sh roles addrole "Certificate Update Admin" - ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT - ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" - # workarround to exit successfully, as a reexecution of "addrolemember" returns an error - exit 0 -} - - -waitForEjbcaToStart -configureEjbca diff --git a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml b/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml deleted file mode 100644 index ec51a80d5e..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml +++ /dev/null @@ -1,1107 +0,0 @@ - - - - - version - 14.0 - - - NUMBERARRAY - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 1 - - - 3 - - - 3 - - - 3 - - - 0 - - - 3 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 1 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - - - SUBJECTDNFIELDORDER - - - 500 - - - 1100 - - - 1200 - - - 1300 - - - 1400 - - - 1600 - - - - - SUBJECTALTNAMEFIELDORDER - - - 1800 - - - 1801 - - - 1802 - - - 1700 - - - 1701 - - - 1702 - - - 1900 - - - 1901 - - - 1902 - - - 2100 - - - 2101 - - - 2102 - - - - - SUBJECTDIRATTRFIELDORDER - - - - 0 - - - - 20000 - true - - - 10000 - true - - - 30000 - true - - - 1 - - - - 20001 - true - - - 10001 - true - - - 30001 - true - - - 95 - - - - 20095 - false - - - 10095 - true - - - 30095 - true - - - 96 - - - - 20096 - false - - - 10096 - true - - - 30096 - true - - - 5 - - - - 20005 - true - - - 10005 - true - - - 30005 - true - - - 26 - - - - 20026 - false - - - 10026 - true - - - 30026 - true - - - 29 - 1834889499 - - - 20029 - true - - - 10029 - true - - - 30029 - true - - - 30 - 1834889499 - - - 20030 - true - - - 10030 - true - - - 30030 - true - - - 31 - 1 - - - 20031 - true - - - 10031 - true - - - 30031 - true - - - 32 - 1;2;3;4 - - - 20032 - true - - - 10032 - true - - - 30032 - true - - - 33 - - - - 20033 - true - - - 10033 - true - - - 30033 - true - - - 34 - - - - 20034 - true - - - 10034 - false - - - 30034 - true - - - 38 - 1 - - - 20038 - true - - - 10038 - true - - - 30038 - true - - - 37 - -29939301 - - - 20037 - true - - - 10037 - true - - - 30037 - true - - - 98 - - - - 20098 - false - - - 10098 - false - - - 30098 - true - - - 99 - - - - 20099 - false - - - 10099 - false - - - 30099 - true - - - 97 - - - - 20097 - false - - - 10097 - false - - - 30097 - true - - - 91 - false - - - 20091 - false - - - 10091 - false - - - 30091 - true - - - 94 - -1 - - - 20094 - true - - - 10094 - false - - - 30094 - false - - - 93 - -1 - - - 20093 - false - - - 10093 - false - - - 30093 - false - - - 89 - - - - 20089 - false - - - 10089 - false - - - 30089 - true - - - 88 - - - - 20088 - false - - - 10088 - false - - - 30088 - true - - - ALLOW_MERGEDN_WEBSERVICES - false - - - 2 - - - - 20002 - false - - - 10002 - false - - - 10090 - true - - - 90 - 0 - - - REVERSEFFIELDCHECKS - false - - - 28 - false - - - 20028 - false - - - 10028 - false - - - REUSECERTIFICATE - false - - - 35 - false - - - 20035 - false - - - 10035 - false - - - 10092 - false - - - USEEXTENSIONDATA - false - - - PRINTINGUSE - false - - - PRINTINGDEFAULT - false - - - PRINTINGREQUIRED - false - - - PRINTINGCOPIES - 1 - - - PRINTINGPRINTERNAME - - - - PRINTINGSVGDATA - - - - PRINTINGSVGFILENAME - - - - 11 - - - - 20011 - false - - - 10011 - true - - - 30011 - true - - - 12 - - - - 20012 - true - - - 10012 - true - - - 30012 - true - - - 13 - - - - 20013 - false - - - 10013 - true - - - 30013 - true - - - 14 - - - - 20014 - true - - - 10014 - true - - - 30014 - true - - - 16 - - - - 20016 - true - - - 10016 - true - - - 30016 - true - - - 18 - - - - 20018 - false - - - 10018 - true - - - 30018 - true - - - 118 - - - - 20118 - false - - - 10118 - true - - - 30118 - true - - - 218 - - - - 20218 - false - - - 10218 - true - - - 30218 - true - - - 17 - - - - 20017 - false - - - 10017 - false - - - 30017 - true - - - 117 - - - - 20117 - false - - - 10117 - false - - - 30117 - true - - - 217 - - - - 20217 - false - - - 10217 - false - - - 30217 - true - - - 19 - - - - 20019 - false - - - 10019 - true - - - 30019 - true - - - 119 - - - - 20119 - false - - - 10119 - true - - - 30119 - true - - - 219 - - - - 20219 - false - - - 10219 - true - - - 30219 - true - - - 21 - - - - 20021 - false - - - 10021 - true - - - 30021 - true - - - 121 - - - - 20121 - false - - - 10121 - true - - - 30121 - true - - - 221 - - - - 20221 - false - - - 10221 - true - - - 30221 - true - - - diff --git a/kubernetes/contrib/components/ejbca/templates/configmap.yaml b/kubernetes/contrib/components/ejbca/templates/configmap.yaml deleted file mode 100644 index 093657dfe0..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-config-script" -data: -{{ tpl (.Files.Glob "resources/ejbca-config.sh").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-profiles" -data: -{{ tpl (.Files.Glob "resources/certprofile_CUSTOM_ENDUSER-1834889499.xml").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/entityprofile_Custom_EndEntity-1356531849.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml deleted file mode 100644 index a36dcacb23..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" . ) }} - annotations: - {{- if eq ( .Values.global.serviceMesh.engine ) "linkerd" }} - linkerd.io/inject: disabled - {{- end }} - {{- if eq ( .Values.global.serviceMesh.engine ) "istio" }} - sidecar.istio.io/rewriteAppHTTPProbers: "false" - proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }' - {{- end }} - {{- end }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-db-readiness - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.mariadbGalera.localCluster }} - - ejbca-galera - {{- else }} - - ejbca-config - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }}-ejbca - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.ejbca.image }} - imagePullPolicy: {{ .Values.pullPolicy }} - lifecycle: - postStart: - exec: - command: - - sh - - -c - - | - sleep 60; /opt/primekey/scripts/ejbca-config.sh - volumeMounts: - - name: "{{ include "common.fullname" . }}-volume" - mountPath: /opt/primekey/scripts/ - - name: "{{ include "common.fullname" . }}-profiles-volume" - mountPath: /opt/primekey/custom_profiles/ - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: INITIAL_ADMIN - value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" - - name: NO_CREATE_CA - value: "true" - - name: DATABASE_JDBC_URL - value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - - name: DATABASE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "login") | indent 10 }} - - name: DATABASE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "password") | indent 10 }} - - name: RA_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 10 }} - - name: CLIENT_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 10 }} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: {{ .Values.liveness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: {{ .Values.readiness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - configMap: - name: "{{ include "common.fullname" . }}-config-script" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-volume" - - configMap: - name: "{{ include "common.fullname" . }}-profiles" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-profiles-volume" diff --git a/kubernetes/contrib/components/ejbca/templates/secret.yaml b/kubernetes/contrib/components/ejbca/templates/secret.yaml deleted file mode 100644 index 837da0959b..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/contrib/components/ejbca/templates/service.yaml b/kubernetes/contrib/components/ejbca/templates/service.yaml deleted file mode 100644 index 46eed4264c..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml deleted file mode 100644 index b777a7d388..0000000000 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2020, Nordix Foundation, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - mariadbGalera: &mariadbGalera - #This flag allows EJBCA to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -secrets: - - uid: ejbca-db-secret - name: &ejbca-db-secret '{{ include "common.release" . }}-ejbca-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: ejbca-server-ra-iak - name: '{{ include "common.release" . }}-ejbca-ra-iak' - type: password - password: '{{ .Values.config.ejbca.raIak }}' - - uid: ejbca-server-client-iak - name: '{{ include "common.release" . }}-ejbca-client-iak' - type: password - password: '{{ .Values.config.ejbca.clientIak }}' - -# application configuration -config: - db: - userName: ejbca - # userPassword: password - # userCredentialsExternalSecret: some-secret - ejbca: {} - # raIak: mypassword - # clientIak: mypassword - -mysqlDatabase: &dbName ejbca - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -ejbca: - image: primekey/ejbca-ce:7.4.3.2 -pullPolicy: Always - -mariadb-galera: - db: - externalSecret: *ejbca-db-secret - name: *dbName - nameOverride: &ejbca-galera ejbca-galera - service: - name: ejbca-galera - portName: ejbca-galera - internalPort: 3306 - replicaCount: 1 - persistence: - enabled: true - mountSubPath: ejbca/maria/data - serviceAccount: - nameOverride: *ejbca-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *ejbca-db-secret - mysqlDatabase: *dbName - nameOverride: ejbca-config - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -readiness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -service: - type: ClusterIP - both_tls_and_plain: true - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - -# Resource Limit flavor -By Default using small -flavor: unlimited -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1500m - memory: 1536Mi - requests: - cpu: 10m - memory: 750Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 20m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: ejbca - roles: - - read diff --git a/kubernetes/contrib/components/netbox/.helmignore b/kubernetes/contrib/components/netbox/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/Chart.yaml b/kubernetes/contrib/components/netbox/Chart.yaml deleted file mode 100755 index 2454db227b..0000000000 --- a/kubernetes/contrib/components/netbox/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox IPAM -name: netbox -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: netbox-app - version: ~12.x-0 - repository: 'file://components/netbox-app' - - name: netbox-nginx - version: ~12.x-0 - repository: 'file://components/netbox-nginx' - - name: netbox-postgres - version: ~12.x-0 - repository: 'file://components/netbox-postgres' \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/Makefile b/kubernetes/contrib/components/netbox/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/contrib/components/netbox/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/Makefile b/kubernetes/contrib/components/netbox/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/contrib/components/netbox/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml deleted file mode 100755 index 0bbe2d2e3c..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Application (WSGI + Gunicorn) -name: netbox-app -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py deleted file mode 100755 index 7d704ae762..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py +++ /dev/null @@ -1,156 +0,0 @@ -import os -import socket - -# For reference see http://netbox.readthedocs.io/en/latest/configuration/mandatory-settings/ -# Based on https://github.com/digitalocean/netbox/blob/develop/netbox/netbox/configuration.example.py - -# Read secret from file -def read_secret(secret_name): - try: - f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') - except EnvironmentError: - return '' - else: - with f: - return f.readline().strip() - -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - -######################### -# # -# Required settings # -# # -######################### - -# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write -# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. -# -# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] -ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', socket.gethostname()).split(' ') - -# PostgreSQL database configuration. -DATABASE = { - 'NAME': os.environ.get('DB_NAME', 'netbox'), # Database name - 'USER': os.environ.get('DB_USER', ''), # PostgreSQL username - 'PASSWORD': os.environ.get('DB_PASSWORD', read_secret('db_password')), - # PostgreSQL password - 'HOST': os.environ.get('DB_HOST', 'localhost'), # Database server - 'PORT': os.environ.get('DB_PORT', ''), # Database port (leave blank for default) -} - -# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. -# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and -# symbols. NetBox will not run without this defined. For more information, see -# https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY -SECRET_KEY = os.environ.get('SECRET_KEY', read_secret('secret_key')) - -######################### -# # -# Optional settings # -# # -######################### - -# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of -# application errors (assuming correct email settings are provided). -ADMINS = [ - # ['John Doe', 'jdoe@example.com'], -] - -# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same -# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. -BANNER_TOP = os.environ.get('BANNER_TOP', '') -BANNER_BOTTOM = os.environ.get('BANNER_BOTTOM', '') - -# Text to include on the login page above the login form. HTML is allowed. -BANNER_LOGIN = os.environ.get('BANNER_LOGIN', '') - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be -# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or -# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers -CORS_ORIGIN_ALLOW_ALL = os.environ.get('CORS_ORIGIN_ALLOW_ALL', 'False').lower() == 'true' -CORS_ORIGIN_WHITELIST = os.environ.get('CORS_ORIGIN_WHITELIST', '').split(' ') -CORS_ORIGIN_REGEX_WHITELIST = [ - # r'^(https?://)?(\w+\.)?example\.com$', -] - -# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal -# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging -# on a production system. -DEBUG = os.environ.get('DEBUG', 'False').lower() == 'true' - -# Email settings -EMAIL = { - 'SERVER': os.environ.get('EMAIL_SERVER', 'localhost'), - 'PORT': int(os.environ.get('EMAIL_PORT', 25)), - 'USERNAME': os.environ.get('EMAIL_USERNAME', ''), - 'PASSWORD': os.environ.get('EMAIL_PASSWORD', read_secret('email_password')), - 'TIMEOUT': int(os.environ.get('EMAIL_TIMEOUT', 10)), # seconds - 'FROM_EMAIL': os.environ.get('EMAIL_FROM', ''), -} - -# Enforcement of unique IP space can be toggled on a per-VRF basis. -# To enforce unique IP space within the global table (all prefixes and IP addresses not assigned to a VRF), -# set ENFORCE_GLOBAL_UNIQUE to True. -ENFORCE_GLOBAL_UNIQUE = os.environ.get('ENFORCE_GLOBAL_UNIQUE', 'False').lower() == 'true' - -# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: -# https://docs.djangoproject.com/en/1.11/topics/logging/ -LOGGING = {} - -# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users -# are permitted to access most data in NetBox (excluding secrets) but not make any changes. -LOGIN_REQUIRED = os.environ.get('LOGIN_REQUIRED', 'False').lower() == 'true' - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# Setting this to True will display a "maintenance mode" banner at the top of every page. -MAINTENANCE_MODE = os.environ.get('MAINTENANCE_MODE', 'False').lower() == 'true' - -# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. -# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request -# all objects by specifying "?limit=0". -MAX_PAGE_SIZE = int(os.environ.get('MAX_PAGE_SIZE', 1000)) - -# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that -# the default value of this setting is derived from the installed location. -MEDIA_ROOT = os.environ.get('MEDIA_ROOT', os.path.join(BASE_DIR, 'media')) - -# Credentials that NetBox will use to access live devices. -NAPALM_USERNAME = os.environ.get('NAPALM_USERNAME', '') -NAPALM_PASSWORD = os.environ.get('NAPALM_PASSWORD', read_secret('napalm_password')) - -# NAPALM timeout (in seconds). (Default: 30) -NAPALM_TIMEOUT = int(os.environ.get('NAPALM_TIMEOUT', 30)) - -# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must -# be provided as a dictionary. -NAPALM_ARGS = {} - -# Determine how many objects to display per page within a list. (Default: 50) -PAGINATE_COUNT = int(os.environ.get('PAGINATE_COUNT', 50)) - -# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to -# prefer IPv4 instead. -PREFER_IPV4 = os.environ.get('PREFER_IPV4', 'False').lower() == 'true' - -# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of -# this setting is derived from the installed location. -REPORTS_ROOT = os.environ.get('REPORTS_ROOT', '/etc/netbox/reports') - -# Time zone (default: UTC) -TIME_ZONE = os.environ.get('TIME_ZONE', 'UTC') - -# Date/time formatting. See the following link for supported formats: -# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date -DATE_FORMAT = os.environ.get('DATE_FORMAT', 'N j, Y') -SHORT_DATE_FORMAT = os.environ.get('SHORT_DATE_FORMAT', 'Y-m-d') -TIME_FORMAT = os.environ.get('TIME_FORMAT', 'g:i a') -SHORT_TIME_FORMAT = os.environ.get('SHORT_TIME_FORMAT', 'H:i:s') -DATETIME_FORMAT = os.environ.get('DATETIME_FORMAT', 'N j, Y g:i a') -SHORT_DATETIME_FORMAT = os.environ.get('SHORT_DATETIME_FORMAT', 'Y-m-d H:i') diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py deleted file mode 100755 index c7d9f7b725..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py +++ /dev/null @@ -1,8 +0,0 @@ -command = '/usr/bin/gunicorn' -pythonpath = '/opt/netbox/netbox' -bind = '0.0.0.0:{{ .Values.service.internalPort }}' -workers = 3 -errorlog = '-' -accesslog = '-' -capture_output = False -loglevel = 'debug' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py deleted file mode 100755 index c7e0d3bee9..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py +++ /dev/null @@ -1,55 +0,0 @@ -import ldap -import os - -from django_auth_ldap.config import LDAPSearch, GroupOfNamesType - -# Server URI -AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '') - -# The following may be needed if you are binding to Active Directory. -AUTH_LDAP_CONNECTION_OPTIONS = { - ldap.OPT_REFERRALS: 0 -} - -# Set the DN and password for the NetBox service account. -AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '') -AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '') - -# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert. -# Note that this is a NetBox-specific setting which sets: -# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) -LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true' - -AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''), - ldap.SCOPE_SUBTREE, - "(sAMAccountName=%(user)s)") - -# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group -# heirarchy. -AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE, - "(objectClass=group)") -AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() - -# Define a group required to login. -AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '') - -# Define special user types using groups. Exercise great caution when assigning superuser status. -AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''), - "is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''), - "is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '') -} - -# For more granular permissions, we can map LDAP groups to Django groups. -AUTH_LDAP_FIND_GROUP_PERMS = os.environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true' - -# Cache groups for one hour to reduce LDAP traffic -AUTH_LDAP_CACHE_GROUPS = os.environ.get('AUTH_LDAP_CACHE_GROUPS', 'True').lower() == 'true' -AUTH_LDAP_GROUP_CACHE_TIMEOUT = int(os.environ.get('AUTH_LDAP_CACHE_GROUPS', 3600)) - -# Populate the Django user from the LDAP directory. -AUTH_LDAP_USER_ATTR_MAP = { - "first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'), - "last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'), - "email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail') -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml deleted file mode 100755 index 05bbfc7738..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -external-key: - description: "The external-key uniquely identify the resources to a service within ONAP." - filterable: true - label: ONAP external key - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 -resource-name: - description: "The resource-name of the element using this IP." - filterable: true - label: ONAP resource name - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml deleted file mode 100755 index 1f4a5a7a6e..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml +++ /dev/null @@ -1,9 +0,0 @@ -# applications: -# users: -# - technical_user -# readers: -# users: -# - reader -# writers: -# users: -# - writer diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml deleted file mode 100755 index 77d330beac..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml +++ /dev/null @@ -1,9 +0,0 @@ -onap: - first_name: Steve - last_name: McQueen - email: steve.mcqueen@onap.org - password: onap123$ - api_token: onceuponatimeiplayedwithnetbox20180814 # This API KEY is used by SDNC, if you edit it, make sure to change it in the netbox.properties file - is_staff: true # whether user is admin or not, default = false - is_active: true # whether user is active, default = true - is_superuser: true # Whether user has all edit rights or not, default = false \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh deleted file mode 100755 index 984801decb..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/sh - -# Create region - -echo "Create region: RegionOne" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/regions/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "RegionOne", - "slug": "RegionOne" -}' - -# Create tenant group - -echo "Create tenant group: ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenant-groups/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP group", - "slug": "onap-group" -}' - -# Create tenant - -echo "Create tenant ONAP in ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenants/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP", - "slug": "onap", - "group": 1, - "description": "ONAP tenant", - "comments": "Tenant for ONAP demo use cases" -}' - -# Create site - -echo "Create ONAP demo site: Montreal Lab" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/sites/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "Montreal Lab D3", - "slug": "mtl-lab-d3", - "region": 1, - "tenant": 1, - "facility": "Campus", - "time_zone": "Canada/Atlantic", - "description": "Site hosting the ONAP use cases", - "physical_address": "1 Graham Bell", - "shipping_address": "1 Graham Bell", - "contact_name": "Alexis", - "contact_phone": "0000000000", - "contact_email": "adetalhouet89@gmail.com", - "comments": "ONAP lab" -}' - -# Create prefixes - -echo "Create Prefix for vFW protected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private2 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 2" -}' - -echo "Create Prefix for vFW unprotected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private1 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 1" -}' - -echo "Create Prefix for ONAP general purpose network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.management }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for ONAP - general purpose" -}' - -# Reserve ports, gateway and dhcp, for each protected and unprotected networks. - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py deleted file mode 100755 index 7626058357..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py +++ /dev/null @@ -1,26 +0,0 @@ -from django.contrib.auth.models import Group, User -from users.models import Token - -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/users.yml', 'r') as stream: - yaml=YAML(typ='safe') - users = yaml.load(stream) - - if users is not None: - for username, user_details in users.items(): - if not User.objects.filter(username=username): - user = User.objects.create_user( - username = username, - password = user_details.get('password', 0) or User.objects.make_random_password, - is_staff = user_details.get('is_staff', 0) or false, - is_superuser = user_details.get('is_superuser', 0) or false, - is_active = user_details.get('is_active', 0) or true, - first_name = user_details.get('first_name', 0), - last_name = user_details.get('last_name', 0), - email = user_details.get('email', 0)) - - print("👤 Created user ",username) - - if user_details.get('api_token', 0): - Token.objects.create(user=user, key=user_details['api_token']) \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py deleted file mode 100755 index 7932874704..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py +++ /dev/null @@ -1,19 +0,0 @@ -from django.contrib.auth.models import Group, User -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/groups.yml', 'r') as stream: - yaml=YAML(typ='safe') - groups = yaml.load(stream) - - if groups is not None: - for groupname, group_details in groups.items(): - group, created = Group.objects.get_or_create(name=groupname) - - if created: - print("👥 Created group", groupname) - - for username in group_details['users']: - user = User.objects.get(username=username) - - if user: - user.groups.add(group) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py deleted file mode 100755 index 5c40e37bf2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py +++ /dev/null @@ -1,68 +0,0 @@ -from extras.constants import CF_TYPE_TEXT, CF_TYPE_INTEGER, CF_TYPE_BOOLEAN, CF_TYPE_DATE, CF_TYPE_URL, CF_TYPE_SELECT -from extras.models import CustomField, CustomFieldChoice - -from ruamel.yaml import YAML - -text_to_fields = { - 'boolean': CF_TYPE_BOOLEAN, - 'date': CF_TYPE_DATE, - 'integer': CF_TYPE_INTEGER, - 'selection': CF_TYPE_SELECT, - 'text': CF_TYPE_TEXT, - 'url': CF_TYPE_URL, -} - -def get_class_for_class_path(class_path): - import importlib - from django.contrib.contenttypes.models import ContentType - - module_name, class_name = class_path.rsplit(".", 1) - module = importlib.import_module(module_name) - clazz = getattr(module, class_name) - return ContentType.objects.get_for_model(clazz) - -with open('/opt/netbox/initializers/custom_fields.yml', 'r') as stream: - yaml = YAML(typ='safe') - customfields = yaml.load(stream) - - if customfields is not None: - for cf_name, cf_details in customfields.items(): - custom_field, created = CustomField.objects.get_or_create(name = cf_name) - - if created: - if cf_details.get('default', 0): - custom_field.default = cf_details['default'] - - if cf_details.get('description', 0): - custom_field.description = cf_details['description'] - - if cf_details.get('filterable', 0): - custom_field.is_filterables = cf_details['filterable'] - - if cf_details.get('label', 0): - custom_field.label = cf_details['label'] - - for object_type in cf_details.get('on_objects', []): - custom_field.obj_type.add(get_class_for_class_path(object_type)) - - if cf_details.get('required', 0): - custom_field.required = cf_details['required'] - - if cf_details.get('type', 0): - custom_field.type = text_to_fields[cf_details['type']] - - if cf_details.get('weight', 0): - custom_field.weight = cf_details['weight'] - - custom_field.save() - - for choice_details in cf_details.get('choices', []): - choice = CustomFieldChoice.objects.create( - field=custom_field, - value=choice_details['value']) - - if choice_details.get('weight', 0): - choice.weight = choice_details['weight'] - choice.save() - - print("🔧 Created custom field", cf_name) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt deleted file mode 100755 index e70c418864..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.fullname" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml deleted file mode 100755 index f785478e1b..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-provisioning-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/provisioning/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configuration-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/configuration/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-initializers-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/initializers/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-startupscripts-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/startup_scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml deleted file mode 100755 index 302166fcd6..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml +++ /dev/null @@ -1,159 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: DB_PASSWORD - - name: EMAIL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: EMAIL_PASSWORD - - name: NAPALM_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: NAPALM_PASSWORD - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SECRET_KEY - - name: SUPERUSER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_PASSWORD - - name: SUPERUSER_API_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_API_TOKEN - - name: ALLOWED_HOSTS - value: {{ .Values.config.allowedHosts | quote }} - - name: DB_NAME - value: {{ .Values.config.dbName }} - - name: DB_USER - value: {{ .Values.config.dbUser }} - - name: DB_HOST - value: {{ .Values.config.dbHost }} - - name: EMAIL_SERVER - value: {{ .Values.config.emailServer }} - - name: EMAIL_PORT - value: {{ .Values.config.emailPort | quote }} - - name: EMAIL_USERNAME - value: {{ .Values.config.emailUsername }} - - name: EMAIL_TIMEOUT - value: {{ .Values.config.emailTimeout | quote }} - - name: EMAIL_FROM - value: {{ .Values.config.emailFrom }} - - name: MEDIA_ROOT - value: {{ .Values.config.mediaRoot }} - - name: NAPALM_USERNAME - value: {{ .Values.config.napalmUsername }} - - name: NAPALM_TIMEOUT - value: {{ .Values.config.napalmTimeout | quote }} - - name: MAX_PAGE_SIZE - value: {{ .Values.config.maxPageSize | quote }} - - name: SUPERUSER_NAME - value: {{ .Values.config.superuserName }} - - name: SUPERUSER_EMAIL - value: {{ .Values.config.superuserEmail }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/netbox/startup_scripts - name: {{ include "common.fullname" . }}-startupscripts-config - - mountPath: /opt/netbox/initializers - name: {{ include "common.fullname" . }}-initializers-config - - mountPath: /etc/netbox/config - name: {{ include "common.fullname" . }}-configuration-config - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - - name: {{ include "common.fullname" . }}-startupscripts-config - configMap: - name: {{ include "common.fullname" . }}-startupscripts-configmap - - name: {{ include "common.fullname" . }}-initializers-config - configMap: - name: {{ include "common.fullname" . }}-initializers-configmap - - name: {{ include "common.fullname" . }}-configuration-config - configMap: - name: {{ include "common.fullname" . }}-configuration-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml deleted file mode 100644 index 3b367a3d4a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-provisioning - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-provisioning-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - netbox-app - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-provisioning-job - image: {{ include "repositoryGenerator.image.curl" . }} - volumeMounts: - - name: {{ include "common.fullname" . }}-provisioning - mountPath: /tmp - command: - - /bin/sh - - ./tmp/provision.sh - volumes: - - name: {{ include "common.fullname" . }}-provisioning - configMap: - name: {{ include "common.fullname" . }}-provisioning-configmap - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml deleted file mode 100755 index a61217fb94..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if not .Values.persistence.storageClass -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml deleted file mode 100755 index 7e25a0f1ef..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - {{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} - {{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml deleted file mode 100755 index c06bc5a333..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada, Amdocs -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-pass - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - DB_PASSWORD: {{ .Values.config.dbPassword | b64enc | quote }} - EMAIL_PASSWORD: {{ .Values.config.emailPassword | b64enc | quote }} - NAPALM_PASSWORD: {{ .Values.config.napalmPassword | b64enc | quote }} - SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }} - SUPERUSER_PASSWORD: {{ .Values.config.superuserPassword | b64enc | quote }} - SUPERUSER_API_TOKEN: {{ .Values.config.superuserAPIToken | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml deleted file mode 100755 index 74d1116f50..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - name: {{ include "common.name" . }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - name: {{ include "common.name" . }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml deleted file mode 100755 index 27cd811ec1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -config: - # Secrets configuration values - dbPassword: J5brHrAXFLQSif0K - emailPassword: password - napalmPassword: password - secretKey: r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj - superuserPassword: admin - superuserAPIToken: 0123456789abcdef0123456789abcdef01234567 - - # Remaining environment configuration values - allowedHosts: "*" - dbName: netbox - dbUser: netbox - dbHost: netbox-postgres - emailServer: localhost - emailPort: 25 - emailUsername: netbox - emailTimeout: 5 - emailFrom: netbox@bar.com - mediaRoot: /opt/netbox/netbox/media - napalmUsername: napalm - napalmTimeout: 10 - maxPageSize: 0 - superuserName: admin - superuserEmail: admin@onap.org - -image: netboxcommunity/netbox:v2.5.8 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -service: - type: ClusterIP - name: netbox-app - externalPort: 8001 - internalPort: 8001 - portName: netbox-app - - # The following subnet pool will be - # configured in Netbox by provisioning script. - private1: 192.168.10.0/24 - private2: 192.168.20.0/24 - management: 10.0.101.0/24 - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteMany - size: 100Mi - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - staticPvName: netbox-static - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/app - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-app - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml deleted file mode 100755 index 3d5987928b..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Nginx web server -name: netbox-nginx -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf b/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf deleted file mode 100755 index 2ef2aca3a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf +++ /dev/null @@ -1,34 +0,0 @@ -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - sendfile on; - tcp_nopush on; - keepalive_timeout 65; - gzip on; - server_tokens off; - client_max_body_size 10M; - - server { - listen {{ .Values.service.internalPort }}; - server_name {{ .Values.service.portName }}; - access_log off; - - location /static/ { - alias /opt/netbox/netbox/static/; - } - - location / { - proxy_pass http://netbox-app:8001; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; - } - } -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml deleted file mode 100755 index 26242be8e2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml deleted file mode 100755 index 2d115f74bf..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["nginx"] - args: ["-c", "/etc/netbox-nginx/nginx.conf","-g", "daemon off;"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/netbox-nginx - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-config-configmap - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml deleted file mode 100755 index c01612e0f4..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml deleted file mode 100755 index a7d0dadbf1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - pullPolicy: Always - -# application image -image: nginx:1.15-alpine -pullPolicy: Always - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteMany - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: netbox/nginx/data - - # Names used for shared pv/pvcs across App & Nginx containers - staticPvName: netbox-static - -service: - type: ClusterIP - name: netbox-nginx - portName: netbox-nginx - internalPort: 8080 - nodePort: 20 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-nginx - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml deleted file mode 100755 index e0bf081960..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox Posgres database -name: netbox-postgres -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml deleted file mode 100755 index 9bc530577a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml deleted file mode 100755 index 8e05524fd1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml deleted file mode 100755 index 37d07f05a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml deleted file mode 100755 index 30da3add0d..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml deleted file mode 100755 index 75335884df..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml deleted file mode 100755 index 7e0a324aa1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: netbox - postgresPassword: J5brHrAXFLQSif0K - postgresDB: netbox - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/postgres/data - -service: - type: ClusterIP - name: netbox-postgres - portName: netbox-postgres - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-postgres - roles: - - read diff --git a/kubernetes/contrib/components/netbox/templates/ingress.yaml b/kubernetes/contrib/components/netbox/templates/ingress.yaml deleted file mode 100755 index 6f604a79ba..0000000000 --- a/kubernetes/contrib/components/netbox/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "common.fullname" . -}} -{{- $servicePort := .Values.service.externalPort -}} -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $serviceName }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: / - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/values.yaml b/kubernetes/contrib/components/netbox/values.yaml deleted file mode 100755 index 04d2f27c7c..0000000000 --- a/kubernetes/contrib/components/netbox/values.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 304 - commonConfigPrefix: netbox - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -# default number of instances -replicaCount: 1 -nodeSelector: {} -affinity: {} - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md deleted file mode 100644 index 72f522a000..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# Motivations -Ingress controller implementation in the ONAP cluster is based on the virtual host routing. -Testing ONAP cluster requires a lot of entries on the target machines in the /etc/hosts. -Adding many entries into the configuration files on testing machines is quite problematic and error prone. -The better wait is to create central DNS server with entries for all virtual host pointed to simpledemo.onap.org and add custom DNS server as a target DNS server for testing machines and/or as external DNS for kubernetes cluster. - -# How to deploy test DNS server: -Run script ./deploy\_dns.sh - -# How to add DNS address on testing machines: -See post deploy info - -# Test DNS inside cluster (optional) -1. You can add the following entry after DNS deploy on running cluster at the end of cluster.yaml file (rke) -~~~yaml -dns: - provider: coredns - upstreamnameservers: - - :31555 -~~~ -2. You can edit coredns configuration with command: - kubectl -n kube-system edit configmap coredns - diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore deleted file mode 100644 index dacad44a66..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore +++ /dev/null @@ -1,37 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml deleted file mode 100644 index dede98e707..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: v2 -appVersion: "1.0" -description: bind9 DNS server for kubernetes cluster -name: bind9dns -version: 0.1.0 diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt deleted file mode 100644 index 7211966b89..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -1. Get the installed DNS host and port by running this commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range $.Values.ingress.paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bind9dns.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo DNS host: $NODE_IP dns port: $NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "bind9dns.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bind9dns.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bind9dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl deleted file mode 100644 index 3efbbbf831..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl +++ /dev/null @@ -1,49 +0,0 @@ -{{/* - - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "bind9dns.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "bind9dns.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "bind9dns.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml deleted file mode 100644 index 7640be64a6..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: DNS_FORWARDER - value: {{ .Values.dnsconf.forwarder }} - - name: WILDCARD_DNS - value: {{ .Values.dnsconf.wildcard }} - - name: ALLOW_RECURSION - value: any - - name: ALLOW_QUERY - value: any - ports: - - name: dnsport - containerPort: {{ .Values.service.port }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml deleted file mode 100644 index 715f2ff78e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: TCP - name: dnstcp - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: UDP - name: dnsudp - selector: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml deleted file mode 100644 index 4fe5d05b02..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "bind9dns.fullname" . }}-test-connection" - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "bind9dns.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml deleted file mode 100644 index c9e19f41d0..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -replicaCount: 1 - -image: - repository: luccksam/docker-bind - tag: 0.1.0 - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: NodePort - port: 53 - nodePort: 31555 - -ingress: - enabled: false - annotations: {} - paths: [] - hosts: - - dnsserver.local - tls: [] - -resources: {} -nodeSelector: {} -tolerations: [] -affinity: {} - -dnsconf: - forwarder: "8.8.8.8,8.8.4.4" - wildcard: "simpledemo.onap.org=0.0.0.0" diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh deleted file mode 100755 index 294ae0a55e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/sh -e - -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -DNS_PORT=31555 -CLUSTER_CONTROL=$( kubectl get no -l node-role.kubernetes.io/controlplane=true -o jsonpath='{.items..metadata.name}') -CLUSTER_IP=$(kubectl get no $CLUSTER_CONTROL -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') -SPATH="$( dirname "$( which "$0" )" )" - - - -usage() { -cat << ==usage -$0 [cluster_domain] [lb_ip] [helm_chart_args] ... - [cluster_domain] Default value simpledemo.onap.org - [lb_ip] Default value LoadBalancer IP - [helm_chart_args] ... Optional arguments passed to helm install command -$0 --help This message -$0 --info Display howto configure target machine -==usage -} - - -target_machine_notice_info() -{ -cat << ==infodeploy -Extra DNS server already deployed: -1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 -2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine -==infodeploy -} - - -list_node_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - break - fi - done -} - -ingress_controller_ip() { - local metal_ns - metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system) - if [ -z $metal_ns ]; then - echo $CLUSTER_IP - else - list_node_with_external_addrs - fi -} - -deploy() { - local ingress_ip - ingress_ip=$(ingress_controller_ip) - initdir = $(pwd) - cd $SPATH/bind9dns - if [ $# -eq 0 ]; then - local cl_domain - cl_domain="simpledemo.onap.org" - else - local cl_domain - cl_domain=$1 - shift - fi - if [ $# -ne 0 ]; then - ingress_ip=$1 - shift - fi - helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ - cd $initdir - target_machine_notice_info -} - -if [ $# -eq 1 ] && [ "$1" = "-h" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then - target_machine_notice_info -else - deploy $@ -fi diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml deleted file mode 100644 index d579333157..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml +++ /dev/null @@ -1,296 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - -kind: ConfigMap -apiVersion: v1 -data: - enable-underscores-in-headers: "true" -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - - --enable-ssl-passthrough=true - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - ---- - -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - - name: https - port: 443 - targetPort: 443 - protocol: TCP - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml deleted file mode 100644 index 57c0034775..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - externalTrafficPolicy: Local - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https - diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh deleted file mode 100755 index 495d540905..0000000000 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh -e - -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -usage() -{ -cat << ==usage -$0 Automatic configuration using external addresess from nodes -$0 --help This message -$0 -h This message -$0 [cluster_ip1] ... [cluster_ipn] Cluster address or ip ranges -==usage -} - - -find_nodes_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - fi - done -} - -generate_config_map() -{ -cat <""".format(arg0)) - print(( - "\n" - "Options:\n" - "-h, --help Show this help message and exit\n" - "-t, --table Use the specified format to display the result table.\n" - " Valid formats are those from the python `tabulate'\n" - " module. When not available, a basic builtin tabular\n" - " function is used and this field has no effect\n" - "-f, --fields Comma separated list of resources fields to display.\n" - " You may use wildcard patterns, eg small.*. Implicit\n" - " value is *, ie all available fields will be used\n" - "Examples:\n" - " # {0} /opt/oom/kubernetes\n" - " # {0} -f small.\\* /opt/oom/kubernetes\n" - " # {0} -f '*requests.*' -t fancy_grid /opt/oom/kubernetes\n" - " # {0} -f small.requests.cpu,small.requests.memory /opt/oom/kubernetes\n" - ).format(arg0)) - if status is not None: - sys.exit(status) - - -def getopts(): - """ read options from cmdline """ - opts, args = getopt.getopt(sys.argv[1:], - "hf:t:", - ["help", "fields=", "table="]) - if len(args) != 1: - usage(1) - - root = args[0] - table = None - fields = ['*'] - patterns = [] - - for opt, arg in opts: - if opt in ("-h", '--help'): - usage(0) - elif opt in ("-f", "--fields"): - fields = arg.split(',') - elif opt in ("-t", "--table"): - table = arg - - return root, table, fields, patterns - - -def main(): - """ main """ - try: - root, table, fields, patterns = getopts() - except getopt.GetoptError as e: - print("Error: {}".format(e)) - usage(1) - - if not os.path.isdir(root): - info("Cannot open {}: Not a directory".format(root)) - return - - # find projects - projects = [] - for dirname, filename in values(root): - projects.append(Project(dirname, filename)) - if not projects: - info("No projects found in {} directory".format(root)) - return - - # check if we want to use pattern matching (wildcard only) - if fields and reduce(lambda x, y: x or y, - map(lambda string: '*' in string, fields)): - patterns = fields - fields = [] - - # if fields are not specified or patterns are used, discover available fields - # and use them (sort for readability) - if patterns or not fields: - avail = sorted(set(reduce(lambda x, y: x+y, - map(lambda p: p.keys(), projects)))) - if patterns: - for pattern in patterns: - fields += filter(lambda string: match(string, pattern), avail) - else: - fields = avail - - # collect values for each project - results = map(lambda project: [project.name] + map(project.get, - fields), - projects) - - # and then print - if results: - headers = ['project'] + fields - print(tabulate(sorted(results), headers, tablefmt=table)) - - -main() diff --git a/kubernetes/contrib/tools/registry-initialize.sh b/kubernetes/contrib/tools/registry-initialize.sh deleted file mode 100755 index 798f375509..0000000000 --- a/kubernetes/contrib/tools/registry-initialize.sh +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh -x - -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Pre-requisite -# 1. Chart packages available under local directory provided as input/argument -# 2. helm client installed with push plugin -# 3. ONAP chartmuseum service deployed - -usage() -{ - echo "Chart Base directory or helm chart from local repo must be provided as input!!" - echo "Usage: registry-initialize.sh -d chartdirectory \ -<-n namespace override> <-r helmrelease override> <-p chart name prefix> | <-h helm charts from local repo>" - exit 1 -} - -if [ $# -eq 0 ]; then - usage -fi - -# defaults -NAMESPACE=onap -RLS_NAME=onap -LOGIN="" -PASSWORD="" -PREF="" -HELM_REPO=local - -while getopts ":d:n:r:p:h:c:" opt; do - case $opt in - d) BASEDIR="$OPTARG" - ;; - n) NAMESPACE="$OPTARG" - ;; - r) RLS_NAME="$OPTARG" - ;; - p) PREF="$OPTARG" - ;; - h) HELM_CHART="$OPTARG" - ;; - c) HELM_REPO="$OPTARG" - ;; - \?) echo "Invalid option -$OPTARG" >&2 - usage - ;; - esac -done - - -if [ -z "$BASEDIR" ] && [ -z "$HELM_CHART" ] ; then - echo "Chart base directory provided $BASEDIR and helm chart from local repo is empty" - exit -fi - -if [ -n "$BASEDIR" ] && [ -n "$HELM_CHART" ] ; then - echo "Both chart base directory $BASEDIR and helm chart from local repo $HELM_CHART cannot be used at the same time " - exit -fi - -if [ -n "$BASEDIR" ]; then - if [ "$(find $BASEDIR -maxdepth 1 -name '*tgz' -print -quit)" ]; then - echo "$BASEDIR valid" - else - echo "No chart package on $BASEDIR provided" - exit - fi -fi - -if [ -n "$HELM_CHART" ]; then - tmp_location=$(mktemp -d) - helm pull $HELM_REPO/$HELM_CHART -d $tmp_location - if [ $? -eq 0 ]; then - echo "Helm chart $HELM_CHART has been pulled out from in $HELM_REPO repo" - BASEDIR=$tmp_location - else - echo "No chart package $HELM_CHART on $HELM_REPO repo" - exit - fi -fi - -if [ -z "$PREF" ] && [ -z "$HELM_CHART" ] ; then - PREF=dcae -fi - -LOGIN=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.login}' | base64 -d) - -PASSWORD=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.password}' | base64 -d) - -if [ -z "$LOGIN" ] || [ -z "$PASSWORD" ]; then - echo "Login/Password credential for target registry cannot be retrieved" - exit 1 -fi - -# Expose cluster port via port-forwarding -kubectl -n $NAMESPACE port-forward service/chart-museum 27017:80 & -if [ $? -ne 0 ]; then - echo "Error in port forwarding; registry cannot be added!!" - exit 1 -fi - -sleep 5 - -# Add chartmuseum repo as helm repo -# Credentials should match config defined in -# oom\kubernetes\platform\components\chartmuseum\values.yaml -helm repo add k8s-registry http://127.0.0.1:27017 --username "$LOGIN" \ - --password "$PASSWORD" -if [ $? -ne 0 ]; then - echo "registry cannot be added!!" - pkill -f "port-forward service/chart-museum" - exit 1 -fi - -# Initial scope is pushing only dcae charts -# can be expanded to include all onap charts if required -for file in $BASEDIR/$PREF*tgz; do - # use helm plugin to push charts - helm cm-push -f $file k8s-registry - if [ $? -eq 0 ]; then - echo "$file uploaded to registry successfully" - else - echo "registry upload failed!!" - pkill -f "port-forward service/chart-museum" - helm repo remove k8s-registry - exit 1 - fi -done - -echo "All Helm charts successfully uploaded into internal repository" - -# Remove the port-forwarding process -pkill -f "port-forward service/chart-museum" - -# Remove helm registry from local -helm repo remove k8s-registry diff --git a/kubernetes/contrib/tools/rke/rke_setup.sh b/kubernetes/contrib/tools/rke/rke_setup.sh deleted file mode 100755 index a8938a96ee..0000000000 --- a/kubernetes/contrib/tools/rke/rke_setup.sh +++ /dev/null @@ -1,353 +0,0 @@ -#!/bin/sh - -############################################################################# -# Copyright © 2019 Bell. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -############################################################################# -# -# This installation is for an RKE install of kubernetes -# after this run the standard oom install -# this installation can be run on any ubuntu 16.04/18.04 VM, RHEL 7.6 (root only), physical or cloud azure/aws host -# https://wiki.onap.org/display/DW/OOM+RKE+Kubernetes+Deployment -# source from https://jira.onap.org/browse/OOM-1598 -# -# master/dublin -# RKE 0.1.16 Kubernetes 1.11.6, kubectl 1.11.6, Helm 2.9.1, Docker 18.06 -# 20190428 RKE 0.2.1, Kubernetes 1.13.5, kubectl 1.13.5, Helm 2.12.3, Docker 18.09.5 -# single node install, HA pending - -usage() { -cat < cluster.yml <> /etc/hosts - echo "Install docker - If you must install as non-root - comment out the docker install below - run it separately, run the user mod, logout/login and continue this script" - curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh - sudo usermod -aG docker $USERNAME - - echo "Install RKE" - sudo wget https://github.com/rancher/rke/releases/download/v$RKE_VERSION/rke_linux-amd64 - mv rke_linux-amd64 rke - sudo chmod +x rke - sudo mv ./rke /usr/local/bin/rke - - echo "Install make - required for beijing+ - installed via yum groupinstall Development Tools in RHEL" - # ubuntu specific - sudo apt-get install make -y - - sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl - sudo chmod +x ./kubectl - sudo mv ./kubectl /usr/local/bin/kubectl - sudo mkdir ~/.kube - wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo mv linux-amd64/helm /usr/local/bin/helm - - echo "Bringing RKE up - using supplied cluster.yml" - sudo rke up - echo "wait 2 extra min for the cluster" - sleep 60 - echo "1 more min" - sleep 60 - echo "copy kube_config_cluter.yaml generated - to ~/.kube/config" - sudo cp kube_config_cluster.yml ~/.kube/config - # avoid using sudo for kubectl - sudo chmod 777 ~/.kube/config - echo "Verify all pods up on the kubernetes system - will return localhost:8080 until a host is added" - echo "kubectl get pods --all-namespaces" - kubectl get pods --all-namespaces - echo "install tiller/helm" - kubectl -n kube-system create serviceaccount tiller - kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - helm init --service-account tiller - kubectl -n kube-system rollout status deploy/tiller-deploy - echo "upgrade server side of helm in kubernetes" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "sleep 30" - sleep 30 - if [ "$USERNAME" = "root" ]; then - helm init --upgrade - else - sudo helm init --upgrade - fi - echo "sleep 30" - sleep 30 - echo "verify both versions are the same below" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "start helm server" - if [ "$USERNAME" = "root" ]; then - helm serve & - else - sudo helm serve & - fi - echo "sleep 30" - sleep 30 - echo "add local helm repo" - if [ "$USERNAME" = "root" ]; then - helm repo add local http://127.0.0.1:8879 - helm repo list - else - sudo helm repo add local http://127.0.0.1:8879 - sudo helm repo list - fi - echo "To enable grafana dashboard - do this after running cd.sh which brings up onap - or you may get a 302xx port conflict" - echo "kubectl expose -n kube-system deployment monitoring-grafana --type=LoadBalancer --name monitoring-grafana-client" - echo "to get the nodeport for a specific VM running grafana" - echo "kubectl get services --all-namespaces | grep graf" - sudo docker version - helm version - kubectl version - kubectl get services --all-namespaces - kubectl get pods --all-namespaces - echo "finished!" -} - -BRANCH= -SERVER= -ENVIRON= -VALIDATE=false -USERNAME=ubuntu -SSHPATH_PREFIX=~/.ssh - -while getopts ":b:s:e:u:l:k:v" PARAM; do - case $PARAM in - u) - usage - exit 1 - ;; - b) - BRANCH=${OPTARG} - ;; - e) - ENVIRON=${OPTARG} - ;; - s) - SERVER=${OPTARG} - ;; - l) - USERNAME=${OPTARG} - ;; - k) - SSHKEY=${OPTARG} - ;; - v) - VALIDATE=${OPTARG} - ;; - ?) - usage - exit - ;; - esac -done - -if [ -z $BRANCH ]; then - usage - exit 1 -fi - -install_onap $BRANCH $SERVER $ENVIRON $USERNAME $SSHPATH_PREFIX $SSHKEY $VALIDATE diff --git a/kubernetes/contrib/values.yaml b/kubernetes/contrib/values.yaml deleted file mode 100644 index 8a44934d8f..0000000000 --- a/kubernetes/contrib/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - cmpv2Enabled: true - -awx: - enabled: true -netbox: - enabled: true diff --git a/kubernetes/cps/Chart.yaml b/kubernetes/cps/Chart.yaml index 63f65a59b6..06fdcf0305 100644 --- a/kubernetes/cps/Chart.yaml +++ b/kubernetes/cps/Chart.yaml @@ -17,25 +17,25 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) name: cps -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: roles-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: standaloneDeployment - name: cps-core - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps-core.enabled - name: cps-temporal - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps-temporal.enabled - name: ncmp-dmi-plugin - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: ncmp-dmi-plugin.enabled diff --git a/kubernetes/cps/components/cps-core/Chart.yaml b/kubernetes/cps/components/cps-core/Chart.yaml index c9638b2d05..b1aa1046dd 100644 --- a/kubernetes/cps/components/cps-core/Chart.yaml +++ b/kubernetes/cps/components/cps-core/Chart.yaml @@ -18,26 +18,26 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Core name: cps-core -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster - name: postgres-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.postgresInit - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index f9bb230161..81b81341e5 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech # Modifications Copyright (C) 2020 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # Modifications Copyright (C) 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -37,8 +37,8 @@ spring: client-id: cps-core security: - # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/api-docs +# comma-separated uri patterns which do not require authorization + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs/** auth: username: ${CPS_USERNAME} password: ${CPS_PASSWORD} @@ -54,18 +54,29 @@ ncmp: username: ${DMI_USERNAME} password: ${DMI_PASSWORD} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} {{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} +# Custom Hazelcast config. +hazelcast: + mode: + kubernetes: + enabled: {{ .Values.hazelcast.config.kubernetesDiscovery }} + service-name: {{ .Values.hazelcast.config.kubernetesServiceName }} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-core/templates/deployment.yaml b/kubernetes/cps/components/cps-core/templates/deployment.yaml index 3684aab3ac..daf6fd3dfa 100644 --- a/kubernetes/cps/components/cps-core/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-core/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech, Orange # Modifications Copyright (C) 2021 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,10 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -111,10 +112,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -140,5 +142,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/kafkauser.yaml b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/service.yaml b/kubernetes/cps/components/cps-core/templates/service.yaml index 97657bfc0b..52263a87ac 100644 --- a/kubernetes/cps/components/cps-core/templates/service.yaml +++ b/kubernetes/cps/components/cps-core/templates/service.yaml @@ -15,3 +15,5 @@ */}} {{ include "common.service" . }} +--- +{{ include "common.headlessService" . }} diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index 8e5e314aca..d72863955f 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -1,6 +1,6 @@ # Copyright (C) 2021 Pantheon.tech, Orange, Bell Canada. # Modifications Copyright (C) 2022 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,13 +43,6 @@ secrets: login: '{{ .Values.config.dmiPluginUserName }}' password: '{{ .Values.config.dmiPluginUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate ################################################################# # Global configuration defaults. @@ -75,30 +68,30 @@ global: container: name: postgres -image: onap/cps-and-ncmp:3.1.5 -containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 +image: onap/cps-and-ncmp:3.3.11 service: type: ClusterIP + headless: {} name: cps-core + internalPort: &svc_port 8080 ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port + headlessPorts: + - name: tcp-hazelcast + port: 5701 prometheus: enabled: false metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -116,18 +109,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} # probe configuration parameters liveness: @@ -136,20 +129,20 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port startup: failureThreshold: 5 periodSeconds: 60 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true @@ -173,8 +166,7 @@ securityContext: ################################################################# config: - - # Set it for pre loading xnfdata, else set to null + # Set it for preloading xnfdata, else set to null liquibaseLabels: xnf-data-preload # REST API basic authentication credentials (passsword is generated if not provided) @@ -189,22 +181,9 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 -# kafka config - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventPublisher: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: SASL_PLAINTEXT -# spring.kafka.properties.sasl.mechanism: PLAIN -# spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; - additional: - notification.data-updated.enabled: true - notification.data-updated.topic: cps.data-updated-events + notification.enabled: true + notification.data-updated.topic: &dataUpdatedTopic cps.data-updated-events notification.data-updated.filters.enabled-dataspaces: "" notification.async.enabled: false notification.async.executor.core-pool-size: 2 @@ -213,6 +192,37 @@ config: notification.async.executor.wait-for-tasks-to-complete-on-shutdown: true notification.async.executor.thread-name-prefix: Async- +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &dmiCmEventsTopic dmi-cm-events + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-core-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Write] + - name: *dmiCmEventsTopic + type: topic + operations: [Read] + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + type: topic + operations: [Read] + - name: &cmAvcSubscriptionTopic cm-avc-subscription + type: topic + operations: [Read] + +topics: + config: + app.ncmp.async-m2m.topic: *ncmpAsyncM2MTopic + app.ncmp.avc.subscription-topic: *cmAvcSubscriptionTopic + app.dmi.cm-events.topic: *dmiCmEventsTopic + logging: level: INFO path: /tmp @@ -250,6 +260,8 @@ postgres-init: pgDatabase: cpsdb pgDataPath: data pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-postgres-init # pgPrimaryPassword: password # pgUserPassword: password @@ -257,10 +269,19 @@ postgres-init: readinessCheck: wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + services: + - '{{ .Values.global.postgres.service.name2 }}' minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Hazlecast custom configurations. +hazelcast: + config: + kubernetesDiscovery: true + kubernetesServiceName: cps-core-headless + + diff --git a/kubernetes/cps/components/cps-temporal/Chart.yaml b/kubernetes/cps/components/cps-temporal/Chart.yaml index 39347a9938..4f3f317b29 100644 --- a/kubernetes/cps/components/cps-temporal/Chart.yaml +++ b/kubernetes/cps/components/cps-temporal/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Temporal name: cps-temporal -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: timescaledb - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml index 6e80843949..bede7f1fdc 100644 --- a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,23 +25,18 @@ spring: username: ${DB_USERNAME} password: ${DB_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} - app: listener: data-updated: topic: {{ .Values.config.app.listener.dataUpdatedTopic }} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} {{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml index 71ff37193b..143740d191 100644 --- a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -54,10 +54,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} - name: APP_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -113,6 +114,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml index 1c57a4a512..56e229a0cd 100644 --- a/kubernetes/cps/components/cps-temporal/values.yaml +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,13 +40,6 @@ secrets: login: '{{ .Values.config.appUserName }}' password: '{{ .Values.config.appUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate image: onap/cps-temporal:1.2.1 containerPort: &svc_port 8080 @@ -90,18 +83,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} # probe configuration parameters liveness: @@ -146,24 +139,9 @@ config: spring: profile: helm #appUserPassword: - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: cps-temporal-group app: listener: - dataUpdatedTopic: cps.data-updated-events -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: cps-temporal-group + dataUpdatedTopic: &dataUpdatedTopic cps.data-updated-events # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. @@ -171,6 +149,17 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-temporal-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Read] + logging: level: INFO path: /tmp @@ -194,7 +183,8 @@ timescaledb: readinessCheck: wait_for: - - cps-temporal-db + services: + - cps-temporal-db minReadySeconds: 10 updateStrategy: diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml index b75bbb3d36..fb578590e0 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - NCMP-DMI-Plugin name: ncmp-dmi-plugin -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml index 8e71114c8c..2b68b6c04f 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -37,7 +37,7 @@ sdnc: security: # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs auth: username: ${DMI_PLUGIN_USERNAME} password: ${DMI_PLUGIN_PASSWORD} @@ -49,6 +49,18 @@ logging: onap: cps: {{ .Values.logging.cps }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} +{{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml index 3d154dba64..351f8834a4 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml @@ -31,10 +31,7 @@ spec: maxSurge: {{ index .Values.updateStrategy.maxSurge }} selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} @@ -60,6 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "login") | indent 12 }} - name: CPS_CORE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "password") | indent 12 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -90,6 +92,11 @@ spec: env: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.config.spring.profile }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -112,5 +119,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml index c35519b5fc..e0bc868c54 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml @@ -47,9 +47,8 @@ global: virtualhost: baseurl: "simpledemo.onap.org" -image: onap/ncmp-dmi-plugin:1.2.2 +image: onap/ncmp-dmi-plugin:1.4.0 containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 prometheus: enabled: false @@ -60,17 +59,14 @@ service: ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -88,18 +84,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -108,14 +104,14 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true @@ -164,16 +160,51 @@ config: # spring.config.min-size: 10 logging: - level: INFO + level: DEBUG cps: DEBUG path: /tmp readinessCheck: wait_for: - - cps-core + services: + - cps-core minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &dmiNcmpCmAvcSubscriptionTopic dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: ncmp-dmi-plugin-group + type: group + operations: [Read] + - name: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + type: topic + operations: [Read] + - name: *dmiNcmpCmAvcSubscriptionTopic + type: topic + operations: [Write] + - name: *ncmpAsyncM2MTopic + type: topic + operations: [Write] + +topics: + config: + app.ncmp.async.topic: *ncmpAsyncM2MTopic + app.dmi.avc.subscription-topic: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + app.dmi.avc.subscription-response-topic: *dmiNcmpCmAvcSubscriptionTopic diff --git a/kubernetes/cps/templates/cps-kafka-topic.yaml b/kubernetes/cps/templates/cps-kafka-topic.yaml deleted file mode 100644 index b4ecfcd9c4..0000000000 --- a/kubernetes/cps/templates/cps-kafka-topic.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.dataUpdatedTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.dataUpdatedTopic.partitions }} - config: - retention.ms: {{ .Values.config.dataUpdatedTopic.retentionMs }} - segment.bytes: {{ .Values.config.dataUpdatedTopic.segmentBytes }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.ncmpEventsTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - config: - retention.ms: {{ .Values.config.ncmpEventsTopic.retentionMs }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.ncmpAsyncM2MTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - config: - retention.ms: {{ .Values.config.ncmpAsyncM2MTopic.retentionMs }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/templates/cps-kafka-user.yaml b/kubernetes/cps/templates/cps-kafka-user.yaml deleted file mode 100644 index fafc8c3369..0000000000 --- a/kubernetes/cps/templates/cps-kafka-user.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.config.dataUpdatedTopic.consumer.groupId }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Write - - resource: - type: group - name: {{ .Values.config.ncmpEventsTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.ncmpEventsTopic.name }} - operation: All - - resource: - type: group - name: {{ .Values.config.ncmpAsyncM2MTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.ncmpAsyncM2MTopic.name }} - operation: All -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index f3e6198ac1..a08690ed53 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -1,5 +1,5 @@ # Copyright (C) 2021 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,13 +48,6 @@ config: coreUserName: cpsuser dmiPluginUserName: dmiuser useStrimziKafka: true - dataUpdatedTopic: - name: cps.data-updated-events - partitions: 10 - retentionMs: 7200000 - segmentBytes: 1073741824 - consumer: - groupId: cps-temporal-group ncmpEventsTopic: name: ncmp-events retentionMs: 7200000 @@ -65,6 +58,31 @@ config: retentionMs: 600000 consumer: groupId: ncmp-group + dmiCmEventsTopic: + name: dmi-cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmAvcSubscriptionTopic: + name: cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmEventsTopic: + name: cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionTopic: + name: ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionResponseTopic: + name: dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group # Enable all CPS components by default cps-core: diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index a112fa6f59..ade33b4c3f 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2020 J. F. Lucas. All rights reserved. +# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,88 +19,88 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE Microservices name: dcaegen2-services -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcae-datafile-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datafile-collector.enabled - name: dcae-datalake-admin-ui - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-admin-ui.enabled - name: dcae-datalake-des - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-des.enabled - name: dcae-datalake-feeder - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-feeder.enabled - name: dcae-heartbeat - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-heartbeat.enabled - name: dcae-hv-ves-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-hv-ves-collector.enabled - name: dcae-kpi-ms - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-kpi-ms.enabled - name: dcae-ms-healthcheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ms-healthcheck.enabled - name: dcae-pm-mapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-pm-mapper.enabled - name: dcae-pmsh - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-pmsh.enabled - name: dcae-prh - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-prh.enabled - name: dcae-restconf-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-restconf-collector.enabled - name: dcae-slice-analysis-ms - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-slice-analysis-ms.enabled - name: dcae-snmptrap-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-snmptrap-collector.enabled - name: dcae-son-handler - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-son-handler.enabled - name: dcae-tcagen2 - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-tcagen2.enabled - name: dcae-ves-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ves-collector.enabled - name: dcae-ves-mapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ves-mapper.enabled - name: dcae-ves-openapi-manager - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/dcae-ves-openapi-manager' condition: dcae-ves-openapi-manager.enabled diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml index 518e782d82..64fee4bba7 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml @@ -21,9 +21,9 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Microservices Common templates name: dcaegen2-services-common -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl index afd3c38f31..bb35e80848 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2019 AT&T -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,14 +33,10 @@ The template always produces a configMap containing the microservice's initial configuration data. (See the documentation for dcaegen2-services-common.microserviceDeployment for more details.) -If the microservice is using one or more Data Router (DR) feeds, the +If the microservice is publishing to one or more Data Router (DR) feeds, the template produces a configMap containing the information needed to provision the feed(s). An init container performs the provisioning. -If the microservice acts as a DR publisher for one or more feeds, the -template produces a configMap containing the information needed to -provision the publisher(s). An init container performs the provisioning. - If the microservice acts as a DR subscriber for one or more feeds, the template produces a configMap containing the information needed to provision the subscribeer(s). An init container performs the provisioning. @@ -70,22 +66,22 @@ metadata: data: {{- range $i, $feed := .Values.drFeedConfig }} feedConfig-{{$i}}.json: |- - {{ $feed | toJson | indent 2 }} - {{- end }} -{{- end }} - -{{- if .Values.drPubConfig }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-drpub-config - namespace: {{ include "common.namespace" . }} - labels: {{ include "common.labels" . | nindent 6 }} -data: - {{- range $i, $drpub := .Values.drPubConfig }} - drpubConfig-{{$i}}.json: |- - {{ $drpub | toJson | indent 2 }} + { + "name": {{ $feed.feedName | quote }}, + "version": {{ $feed.feedVersion | quote }}, + "description": {{ $feed.feedDescription | default "None" | quote }}, + "authorization": { + "classification": {{ $feed.classification | quote }}, + "endpoint_addrs": [ + ], + "endpoint_ids": [ + { + "id": {{ $feed.publisher.username | quote }}, + "password": {{ $feed.publisher.password | quote }} + } + ] + } + } {{- end }} {{- end }} @@ -100,7 +96,23 @@ metadata: data: {{- range $i, $drsub := .Values.drSubConfig }} drsubConfig-{{$i}}.json: |- - {{ $drsub | toJson | indent 2 }} + { + "feed": { + "name": {{ $drsub.feedName | quote }}, + "version": {{ $drsub.feedVersion | quote }} + }, + "delivery": { + "url": {{ $drsub.deliveryURL | quote }}, + "user": {{ $drsub.username | quote }}, + "password": {{ $drsub.userpwd | quote }}, + "use100": {{ $drsub.use100 | default false }} + }, + "metadataOnly": {{ $drsub.metadataOnly | default false }}, + "groupid": {{ $drsub.groupId | default 0 }}, + "follow_redirect": {{ $drsub.followRedirect | default true }}, + "privileged_subscriber": {{ $drsub.privilegedSubscriber | default false }}, + "decompress": {{ $drsub.decompress | default false }} + } {{- end }} {{- end }} {{- end }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 93efe98846..c841d6df50 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -1,7 +1,7 @@ {{/* #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2021 Nokia. All rights reserved. # Copyright (c) 2021 Nordix Foundation. @@ -60,11 +60,19 @@ the the literal string "An example value". - name: {{ $envName }} value: {{ tpl $envValue $global | quote }} {{- else }} - {{ if or (not $envValue.secretUid) (not $envValue.key) }} - {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} - {{- end }} + {{- if and (hasKey $envValue "externalSecret") ($envValue.externalSecret) }} +- name: {{ $envName }} + valueFrom: + secretKeyRef: + name: {{ tpl $envValue.externalSecretUid $global | quote }} + key: {{ tpl $envValue.key $global | quote }} + {{- else }} + {{ if or (not $envValue.secretUid) (not $envValue.key) }} + {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} + {{- end }} - name: {{ $envName }} {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }} + {{- end }} {{- end -}} {{- end }} {{- end }} @@ -220,16 +228,6 @@ process into the microservice's configuration. See the documentation for the common DMaaP provisioning template (oom/kubernetes/common/common/templates/_dmaapProvisioning.tpl). -If the microservice acts as a TLS client or server, the Deployment will -include an initContainer that retrieves certificate information from -the AAF certificate manager. The information is mounted at the -mount point specified in .Values.certDirectory. If the microservice is -a TLS server (indicated by setting .Values.tlsServer to true), the -certificate information will include a server cert and key, in various -formats. It will also include the AAF CA cert. If the microservice is -a TLS client only (indicated by setting .Values.tlsServer to false), the -certificate information includes only the AAF CA cert. - If the microservice uses certificates from an external CMPv2 provider, the Deployment will include an initContainer that performs certificate post-processing. @@ -239,11 +237,10 @@ post-processing. {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} {{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} -{{- $tlsServer := default "" .Values.tlsServer -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} {{- $policyRls := default $commonRelease $policy.policyRelease -}} -{{- $drFeedConfig := default "" .Values.drFeedConfig -}} +{{- $drNeedProvisioning := or .Values.drFeedConfig .Values.drSubConfig -}} {{- $dcaeName := print (include "common.fullname" .) }} {{- $dcaeLabel := (dict "dcaeMicroserviceName" $dcaeName) -}} {{- $dot := . -}} @@ -261,44 +258,6 @@ spec: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} {{- end }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} - {{- if $certDir }} - - name: {{ include "common.name" . }}-aaf-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - aaf-cm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - - name: init-tls - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: TLS_SERVER - value: {{ $tlsServer | quote }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: {{ include "common.resources" . | nindent 2 }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - {{- end }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} @@ -348,10 +307,10 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config - name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }} + name: {{ ternary "app-config-input" "app-config" (not $drNeedProvisioning) }} - mountPath: /app-config-input name: app-config-input {{- if $logDir }} @@ -411,14 +370,10 @@ spec: - name: POLICY_SYNC_DURATION value: "{{ $policy.duration }}" {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /etc/policies name: policy-shared - {{- if $certDir }} - - mountPath: /opt/ca-certificates/ - name: tls-info - {{- end }} {{- end }} hostname: {{ include "common.name" . }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -448,8 +403,7 @@ spec: {{- end }} {{- include "common.dmaap.provisioning._volumes" . | nindent 6 -}} {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} {{/* diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml index eaabfa3808..d5cc948cb4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE DataFile Collector Helm charts name: dcae-datafile-collector -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index cbe02a1bf9..30da823e60 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -2,7 +2,8 @@ # ========================================================================= # Copyright (c) 2021 Nordix Foundation. # Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ========================================================================= # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,14 +46,13 @@ secrets: ################################################################# # InitContainer Images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.9.0 +image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.10.0 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -66,11 +66,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /opt/app/datafile/etc/cert -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -94,12 +89,12 @@ certificates: create: true # Dependencies +# Waiting for dmaap-dr-node (which depends on dmaap-dr-prov) +# to be sure that we can provision the DR feed that's needed readinessCheck: wait_for: - containers: - - aaf-cm - - dmaap-bc - - dmaap-provisioning-job + services: + - dmaap-dr-node - message-router # Probe Configuration @@ -131,6 +126,14 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: message-router-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Data Router Publisher Credentials drPubscriberCreds: username: username @@ -150,11 +153,11 @@ applicationConfig: dmaap.certificateConfig.keyPasswordPath: /opt/app/datafile/etc/cert/p12.pass dmaap.certificateConfig.trustedCa: /opt/app/datafile/etc/cert/trust.jks dmaap.certificateConfig.trustedCaPasswordPath: /opt/app/datafile/etc/cert/trust.pass - dmaap.certificateConfig.enableCertAuth: true + dmaap.certificateConfig.enableCertAuth: false dmaap.dmaapConsumerConfiguration.consumerGroup: OpenDcae-c12 dmaap.dmaapConsumerConfiguration.consumerId: C12 dmaap.dmaapConsumerConfiguration.timeoutMs: -1 - dmaap.security.enableDmaapCertAuth: true + dmaap.security.enableDmaapCertAuth: false dmaap.security.keyStorePasswordPath: /opt/app/datafile/etc/cert/jks.pass dmaap.security.keyStorePath: /opt/app/datafile/etc/cert/cert.jks dmaap.security.trustStorePasswordPath: /opt/app/datafile/etc/cert/trust.pass @@ -164,10 +167,10 @@ applicationConfig: streams_publishes: PM_MEAS_FILES: dmaap_info: - publisher_id: ${DR_FILES_PUBLISHER_ID_0} + publisher_id: "dummy_id" location: loc00 - log_url: ${DR_LOG_URL_0} - publish_url: ${DR_FILES_PUBLISHER_URL_0} + log_url: ${DR_FEED_LOGURL_0} + publish_url: ${DR_FEED_PUBURL_0} username: ${DR_USERNAME} password: ${DR_PASSWORD} type: data_router @@ -177,27 +180,25 @@ applicationConfig: topic_url: "http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" type: message_router +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + # DataRouter Feed Configuration drFeedConfig: - feedName: bulk_pm_feed - owner: dcaecm feedVersion: "0.0" - asprClassification: unclassified + classification: unclassified feedDescription: DFC Feed Creation - -# DataRouter Publisher Configuration -drPubConfig: - - feedName: bulk_pm_feed - username: ${DR_USERNAME} - userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 + publisher: + username: ${DR_USERNAME} + password: ${DR_PASSWORD} # ConfigMap Configuration for Feed, Dr_Publisher volumes: - name: feeds-config path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs # Resource Limit Flavor -By Default Using Small flavor: small @@ -206,18 +207,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 500m - memory: 768Mi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml index dc19527be6..b997fbeb27 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE datalake-admin-ui helm chart name: dcae-datalake-admin-ui -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml index e18ea04ee1..f7c9381611 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,21 +31,6 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -59,19 +44,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake-admin-ui logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake-admin-ui/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies readinessCheck: wait_for: - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -91,10 +68,9 @@ service: port: 8088 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] # Initial Application Configuration applicationConfig: @@ -106,18 +82,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml index 6f3a9aff06..317695ecfc 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake DES MS charts name: dcae-datalake-des -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml index cab2a953ec..f45905cd12 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,22 +36,12 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds externalSecret: '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth login: '{{ .Values.postgres.config.pgUserName }}' passwordPolicy: required -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -65,19 +55,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies readinessCheck: wait_for: - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -97,10 +79,9 @@ service: port: 1681 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] #postgres configuration postgres: @@ -136,18 +117,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml index 3b890d001b..4f085d5504 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml @@ -21,24 +21,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake feeder MS charts name: dcae-datalake-feeder -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml index 25b74d7502..36e1d7bda6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth @@ -48,11 +43,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -67,20 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-datalake-postgres - # Probe Configuration readiness: initialDelaySeconds: 90 @@ -99,10 +75,14 @@ service: port: 1680 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read credentials: - name: PG_USER @@ -141,25 +121,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-datalake-postgres service: name: *postgresName name2: dcae-datalake-pg-primary @@ -176,6 +156,11 @@ postgres: pgDatabase: datalake pgUserExternalSecret: *pgUserCredsSecretName +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: dcae-datalake-feeder diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml index ecde5e6c3d..6ff60f4de5 100644 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml @@ -21,24 +21,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Heartbeat Microservice name: dcae-heartbeat -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml index 0198a7ddbd..da8f2c6561 100644 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-heartbeat-pg-user-creds' type: basicAuth @@ -48,16 +43,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.heartbeat:2.5.0 +image: onap/org.onap.dcaegen2.services.heartbeat:2.6.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -67,21 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/heartbeat logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/heartbeat/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-heartbeat-postgres - - message-router - # Probe Configuration readiness: initialDelaySeconds: 10 @@ -100,18 +75,14 @@ service: port: 10002 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-heartbeat-read credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: HEARTBEAT_PG_USERNAME uid: *pgUserCredsSecretUid key: login @@ -159,25 +130,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-heartbeat-postgres service: name: *postgresName name2: dcae-heartbeat-pg-primary @@ -194,6 +165,13 @@ postgres: pgDatabase: heartbeat pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-heartbeat diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml index 59fda72e2a..48ffbd2c71 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml @@ -21,24 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE HV VES collector name: dcae-hv-ves-collector -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml deleted file mode 100644 index ff977aaa32..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.hvVesKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - operation: Write diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml deleted file mode 100644 index e40775833a..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-fault-supervision - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-provisioning - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-heartbeat - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-performance-assurance - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: perf3gpp - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index da3f47358b..2365c17e28 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,8 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright © 2022 Nordix Foundation +# Modifications Copyright (C) 2022-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,7 +35,6 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# @@ -45,6 +44,9 @@ certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice- image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.11.0 pullPolicy: Always +commonName: &commonName dcae-hv-ves-collector +containerPort: &containerPort 6061 + # log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of # global.centralizedLoggingEnabled setting. @@ -56,22 +58,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /etc/ves-hv/ssl -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -secrets: - - uid: hv-ves-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate -config: - someConfig: blah - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -81,9 +67,9 @@ config: useCmpv2Certificates: false certificates: - mountPath: /etc/ves-hv/ssl/external - commonName: dcae-hv-ves-collector + commonName: *commonName dnsNames: - - dcae-hv-ves-collector + - *commonName - hv-ves-collector - hv-ves keystore: @@ -94,11 +80,6 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - # probe configuration readiness: type: exec @@ -108,75 +89,115 @@ readiness: command: - /opt/ves-hv-collector/healthcheck.sh +# since there are problems receiving binary data via the sidecar +# the service port is excluded in the sidecar processing +podAnnotations: + traffic.sidecar.istio.io/excludeInboundPorts: '6061' + traffic.sidecar.istio.io/includeInboundPorts: '*' + # service configuration service: type: NodePort - name: dcae-hv-ves-collector + name: *commonName ports: - - name: http - port: 6061 - port_protocol: http + - name: tcp + port: *containerPort + port_protocol: tcp + app_protocol: tcp nodePort: 22 ingress: enabled: false service: - baseaddr: "dcae-hv-ves-collector-api" - name: "dcae-hv-ves-collector" - port: 6061 + name: *commonName + port: *containerPort config: ssl: "redirect" -#strimzi kafka config -hvVesKafkaUser: dcae-hv-ves-kafka-user +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress # initial application configuration applicationConfig: logLevel: INFO server.idleTimeoutSec: 300 - server.listenPort: 6061 + server.listenPort: *containerPort cbs.requestIntervalSec: 5 - security.sslDisable: false + security.sslDisable: true security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass streams_publishes: ves-3gpp-fault-supervision: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_FAULTSUPERVISION_OUTPUT + topic_name: &ves3gppFaultSupervision SEC_3GPP_FAULTSUPERVISION_OUTPUT ves-3gpp-provisioning: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PROVISIONING_OUTPUT + topic_name: &ves3gppProvisioning SEC_3GPP_PROVISIONING_OUTPUT ves-3gpp-heartbeat: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_HEARTBEAT_OUTPUT + topic_name: &ves3gppHeartbeat SEC_3GPP_HEARTBEAT_OUTPUT ves-3gpp-performance-assurance: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + topic_name: &ves3gppPerformanceAssurance SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT perf3gpp: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: HV_VES_PERF3GPP + topic_name: &perf3gpp HV_VES_PERF3GPP + +# Strimzi Kafka config +kafkaUser: + acls: + - name: SEC_3GPP + type: topic + patternType: prefix + operations: [Write, DescribeConfigs] + - name: *perf3gpp + type: topic + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: *ves3gppFaultSupervision + strimziTopicName: dcae-ves-3gpp-fault-supervision + # the default retention values below can be updated + # to meet use case requirements for each topic. + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: *ves3gppProvisioning + strimziTopicName: dcae-ves-3gpp-provisioning + - name: *ves3gppHeartbeat + strimziTopicName: dcae-ves-3gpp-heartbeat + - name: *ves3gppPerformanceAssurance + strimziTopicName: dcae-ves-3gpp-performance-assurance + - name: *perf3gpp + strimziTopicName: dcae-ves-3gpp-perf + applicationEnv: JAVA_OPTS: '-Dlogback.configurationFile=/etc/ONAP/dcae-hv-ves-collector/logback.xml' CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' #Temporary Dummy CBS Port Value until internal SDK library is updated CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + MESSAGING_TYPE: 'kafka' KAFKA_BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' USE_SCRAM: 'true' JAAS_CONFIG: - secretUid: hv-ves-kafka-secret + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' key: sasl.jaas.config # Resource Limit flavor -By Default using small @@ -185,22 +206,22 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: dcae-hv-ves-collector + nameOverride: *commonName roles: - read diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml index b47d717cbe..b4c79c915b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE KPI MS chart name: dcae-kpi-ms -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml index 19ff61fa96..61b78fa01f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml @@ -1,7 +1,8 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,26 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.11 +image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.2.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -60,16 +46,6 @@ log: path: /var/log/ONAP/dcaegen2/services/kpims logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/kpims/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false -enable_tls: false - # Optional Policy configuration properties # if present, policy-sync side car will be deployed #dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 @@ -80,7 +56,8 @@ enable_tls: false # Dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # Probe Configuration readiness: @@ -100,18 +77,10 @@ service: port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read # Initial Application Configuration applicationConfig: @@ -148,18 +117,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml index 39d7c1ab04..e293252f66 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml @@ -23,15 +23,15 @@ apiVersion: v2 appVersion: "Kohn" description: ONAP DCAE Microservice Health Check name: dcae-ms-healthcheck -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml index 4a51c7f9d8..f6d179428a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml @@ -31,8 +31,7 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -65,5 +64,4 @@ spec: - name: {{ include "common.fullname" . }}-expected-components configMap: name: {{ include "common.release" . }}-dcae-expected-microservices - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml index 3b47e7f70e..8b8f928c39 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml @@ -31,6 +31,10 @@ service: - port: 8080 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + # Label on DCAE microservice deployments # (Used by healthcheck code to find deployments # created after initial DCAE installation) @@ -48,7 +52,7 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 # application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 +image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.1 # Resource Limit flavor -By Default using small flavor: small @@ -56,18 +60,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml index 8f28dcaa25..30cb9cfe6c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE PM-Mapper Helm charts name: dcae-pm-mapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../common/dcaegen2-services-common' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index a2479b62e2..290c313b52 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -2,7 +2,8 @@ # ========================================================================= # Copyright (C) 2021 Nordix Foundation. # Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ========================================================================= # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,27 +37,17 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &drSubCredsUID drsubcreds type: basicAuth login: '{{ .Values.drSubscriberCreds.username }}' password: '{{ .Values.drSubscriberCreds.password }}' passwordPolicy: required -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.9.0 +image: onap/org.onap.dcaegen2.services.pm-mapper:1.10.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -66,23 +57,17 @@ log: path: /var/log/ONAP/dcaegen2/services/pm-mapper logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pm-mapper/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies +# Depend on the datafile-collector, which guarantees that +# the DR feed that pm-mapper susbscribes to will be created +# already by the datafile-collector DMaaP provisioning init +# container. Also guarantees that DR provisioning will be +# available for pm-mapper initContainter to create the +# subscription to the feed. readinessCheck: wait_for: - containers: - - dmaap-bc - - dmaap-provisioning-job - - dcae-datafile-collector - - message-router + services: + - datafile-collector # Probe Configuration readiness: @@ -104,10 +89,10 @@ service: plain_port: 8081 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read # Data Router Subscriber Credentials drSubscriberCreds: @@ -115,12 +100,6 @@ drSubscriberCreds: password: password credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: DR_USERNAME uid: *drSubCredsUID key: login @@ -135,16 +114,16 @@ applicationConfig: aaf_identity: "" aaf_password: "" pm-mapper-filter: "{ \"filters\":[] }" - key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks - key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass + #key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks + #key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass trust_store_path: /opt/app/pm-mapper/etc/cert/trust.jks trust_store_pass_path: /opt/app/pm-mapper/etc/cert/trust.pass - dmaap_dr_delete_endpoint: https://dmaap-dr-node:8443/delete + dmaap_dr_delete_endpoint: http://dmaap-dr-node:8080/delete streams_publishes: dmaap_publisher: type: message_router dmaap_info: - client_id: ${MR_FILES_PUBLISHER_CLIENT_ID_0} + client_id: "dummy_id" location: san-francisco client_role: org.onap.dcae.pmPublisher topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS @@ -152,7 +131,7 @@ applicationConfig: dmaap_subscriber: type: data_router dmaap_info: - subscriber_id: ${DR_FILES_SUBSCRIBER_ID_0} + subscriber_id: "dummy_id" decompress: true privileged: true username: ${DR_USERNAME} @@ -160,28 +139,23 @@ applicationConfig: location: san-francisco delivery_url: http://dcae-pm-mapper:8081/delivery -# DataRouter Feed Configuration -drFeedConfig: - - feedName: bulk_pm_feed - owner: dcaecm - feedVersion: "0.0" - asprClassification: unclassified - feedDescription: DFC Feed Creation +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' # DataRouter Subscriber Configuration drSubConfig: - feedName: bulk_pm_feed + feedVersion: "0.0" decompress: true username: ${DR_USERNAME} userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 privilegedSubscriber: true deliveryURL: http://dcae-pm-mapper:8081/delivery -# ConfigMap Configuration for Dr Feed, Subscriber, MR Topics +# ConfigMap Configuration for DR Subscriber volumes: - - name: feeds-config - path: /opt/app/config/feeds - name: drsub-config path: /opt/app/config/dr_subs @@ -192,18 +166,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml index 75ebdde7e7..f721f0aba4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml @@ -22,24 +22,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE PMSH Service name: dcae-pmsh -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml index 7f306542b4..0f7289cc07 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (C) 2021 Nordix Foundation. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-pmsh-pg-user-creds' type: basicAuth @@ -48,16 +43,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pmsh:2.2.2 +image: onap/org.onap.dcaegen2.services.pmsh:2.2.3 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -67,21 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/pmsh logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pmsh/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-pmsh-postgres - - message-router - # Probe Configuration readiness: initialDelaySeconds: 10 @@ -101,24 +76,18 @@ service: plain_port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-pmsh-read # Initial Application Configuration applicationConfig: enable_tls: false - aaf_identity: ${AAF_IDENTITY} - aaf_password: ${AAF_PASSWORD} + aaf_identity: dummy_value + aaf_password: dummy_value key_path: /opt/app/pmsh/etc/certs/key.pem cert_path: /opt/app/pmsh/etc/certs/cert.pem ca_cert_path: /opt/app/pmsh/etc/certs/cacert.pem @@ -164,25 +133,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-pmsh-postgres service: name: *postgresName name2: *dcaePmshPgPrimary @@ -199,6 +168,13 @@ postgres: pgDatabase: pmsh pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-pmsh diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index 9c7a980932..fefc06e805 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,21 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE PRH name: dcae-prh -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 80154c781f..11cb72690c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -1,7 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 Nokia. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,16 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.1 +image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.10.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -50,15 +46,6 @@ log: path: /opt/app/prh/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/prh/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - secrets: - uid: &aaiCredsUID aaicreds type: basicAuth @@ -66,11 +53,6 @@ secrets: password: '{{ .Values.aaiCreds.password }}' passwordPolicy: required -# dependencies -readinessCheck: - wait_for: - - message-router - # probe configuration readiness: initialDelaySeconds: 5 @@ -87,6 +69,11 @@ service: - port: 8100 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + aaiCreds: user: AAI password: AAI @@ -148,6 +135,42 @@ applicationConfig: applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' AUTH_HDR: '{{ printf "Basic %s" (print .Values.aaiCreds.user ":" .Values.aaiCreds.password | b64enc) }}' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka User config +kafkaUser: + acls: + - name: OpenDCAE-c12 + type: group + patternType: literal + operations: [Read] + - name: \"*\" + type: topic + patternType: literal + operations: [DescribeConfigs] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Write] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Write] + +# Strimzi Kafka Topics +kafkaTopic: + - name: unauthenticated.PNF_READY + strimziTopicName: unauthenticated.pnf-ready + - name: unauthenticated.PNF_UPDATE + strimziTopicName: unauthenticated.pnf-update # Resource Limit flavor -By Default using small flavor: small @@ -155,18 +178,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "3Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "3Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml index 10ce14028a..72d43e9481 100644 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE RESTConf Collector name: dcae-restconf-collector -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml index d9fd33ff18..8e6cc7a4a6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml @@ -1,7 +1,8 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,17 +42,11 @@ secrets: password: '{{ .Values.controllerCreds.password }}' passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.3.4 +image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.4.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -61,19 +56,11 @@ log: path: null # /opt/app/restconfcollector/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/dcae-certificate - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # Probe Configuration readiness: @@ -107,6 +94,12 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # AAF Credentials controllerCreds: username: access @@ -132,12 +125,14 @@ applicationConfig: collector.rcc.inputQueue.maxPending: '8096' tomcat.maxthreads: '200' collector.rcc.service.port: '8080' - collector.rcc.service.secure.port: '8687' - collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks - collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass - collector.rcc.keystore.alias: dynamically generated - collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks - collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass + # Disabling of secure port not working (DCAEGEN2-3336) + collector.rcc.service.secure.port: '0' + #collector.rcc.service.secure.port: '8687' + #collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks + #collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass + #collector.rcc.keystore.alias: dynamically generated + #collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks + #collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass #collector.keystore.file.location: /opt/app/dcae-certificate/external/cert.jks #collector.keystore.passwordfile: /opt/app/dcae-certificate/external/jks.pass collector.header.authflag: '0' @@ -162,18 +157,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml index ed555b28a2..f90bd1ef95 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE SliceAnalysis MS charts name: dcae-slice-analysis-ms -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml index 3fdd251110..fd70e36619 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -1,8 +1,9 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # Copyright (C) 2022 Huawei Canada Limited. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,11 +37,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-sliceanalysisms-pg-user-creds' type: basicAuth @@ -49,17 +45,12 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################aafcreds################################# -# InitContainer Image -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.5 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.2.1 pullPolicy: IfNotPresent ################################################################# @@ -85,21 +76,6 @@ log: path: /var/log/ONAP/dcaegen2/services/sliceanalysisms logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sliceanalysisms/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-sliceanalysisms-postgres - - message-router - # Probe Configuration readiness: initialDelaySeconds: 60 @@ -118,18 +94,14 @@ service: port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-slice-analysis-ms-read credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: PG_USERNAME uid: *pgUserCredsSecretUid key: login @@ -220,25 +192,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-sliceanalysisms-postgres service: name: *postgresName name2: dcae-sliceanalysisms-pg-primary @@ -255,6 +227,13 @@ postgres: pgDatabase: sliceanalysisms pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-slice-analysis-ms diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml index 4ffa58ed13..5f2eb49546 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Copyright (c) 2024 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE SNMPTrap Collector name: dcae-snmptrap-collector -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml index 5340f35770..599b3d21b9 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,17 +31,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.7 +image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -51,17 +45,11 @@ log: path: /opt/app/snmptrap/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - - # Dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # Probe Configuration readiness: @@ -82,6 +70,10 @@ service: nodePort: 70 useNodePortExt: true +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + # Initial Application Configuration applicationConfig: StormWatchPolicy: '' @@ -89,7 +81,7 @@ applicationConfig: dns_cache_ttl_seconds: 60 services_calls: {} snmptrapd: - version: '2.0.4' + version: '2.0.8' title: ONAP SNMP Trap Receiver sw_interval_in_seconds: 60 streams_publishes: @@ -97,8 +89,8 @@ applicationConfig: dmaap_info: topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP type: message_router - aaf_password: null - aaf_username: null + aaf_password: "" + aaf_username: "" files: runtime_base_dir: "/opt/app/snmptrap" log_dir: logs @@ -137,18 +129,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml index 57a182b8f4..b4bde7f0fe 100644 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ============= LICENSE_END ================================================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE Son-handler helm chart name: dcae-son-handler -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml index bd684e3db5..5e16967203 100644 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml @@ -1,7 +1,8 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +36,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &cpsCredsUID cpscreds type: basicAuth login: '{{ .Values.cpsCreds.identity }}' @@ -53,16 +49,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.son-handler:2.1.11 +image: onap/org.onap.dcaegen2.services.son-handler:2.2.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -72,15 +63,6 @@ log: path: /var/log/ONAP/dcaegen2/services/sonhms logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sonhms/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Optional Policy configuration properties # if present, policy-sync side car will be deployed #dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 @@ -88,12 +70,6 @@ tlsServer: false # policyID: | # '["com.Config_PCIMS_CONFIG_POLICY"]' -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-sonhms-postgres - - message-router - # Probe Configuration readiness: initialDelaySeconds: 10 @@ -112,21 +88,19 @@ service: port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-son-handler-read + +# Credentials cpsCreds: identity: cps password: cpsr0cks! credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: CPS_IDENTITY uid: *cpsCredsUID key: login @@ -227,25 +201,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-sonhms-postgres service: name: *postgresName name2: *dcaeSonhmsPgPrimary @@ -262,6 +236,13 @@ postgres: pgDatabase: sonhms pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-son-handler diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml index 25a54014d6..ffddeb55f2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,30 +19,27 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE TCA (Gen 2) name: dcae-tcagen2 -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index 08ca865aff..393d7936a0 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -1,7 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,15 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 centralizedLoggingEnabled: true + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Filebeat configuration defaults. @@ -31,16 +41,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.4 +image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.4.0 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -50,15 +55,6 @@ log: path: /opt/logs/dcae-analytics-tca logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /etc/tca-gen2/ssl - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - secrets: - uid: &aaiCredsUID aaicreds type: basicAuth @@ -69,7 +65,8 @@ secrets: # dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # probe configuration readiness: @@ -87,20 +84,32 @@ service: - port: 9091 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # mongoDB overrides -mongo: +mongodb: nameOverride: dcae-mongo - config: - dbName: dcaecommondb + #config: + # dbName: dcaecommondb + auth: + enabled: false + databases: + - "dcaecommondb" + usernames: + - "dcae" service: - name: dcae-mongohost + nameOverride: dcae-mongohost internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" # Policy configuraiton properties # if enabled, policy-sync side car will be deployed @@ -169,18 +178,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 9c63dcf315..61a5f03b7e 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,24 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE VES Collector name: dcae-ves-collector -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml new file mode 100644 index 0000000000..4d82cf3b47 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index e0b2b12087..ae75bacb57 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,14 +36,13 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.1 +image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.4 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -56,11 +56,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /opt/app/dcae-certificate -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -83,13 +78,8 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - - message-router - # probe configuration +readiness: initialDelaySeconds: 5 periodSeconds: 15 path: /healthcheck @@ -118,10 +108,87 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # application environments applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka config +kafkaUser: + acls: + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_OTHER_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_FAULT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: unauthenticated.VES_PNFREG_OUTPUT + strimziTopicName: unauthenticated.ves-pnfreg-output + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + strimziTopicName: unauthenticated.ves-notification-output + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-heartbeat-output + - name: unauthenticated.SEC_OTHER_OUTPUT + strimziTopicName: unauthenticated.sec-other-output + - name: unauthenticated.SEC_FAULT_OUTPUT + strimziTopicName: unauthenticated.sec-fault-output + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + strimziTopicName: unauthenticated.ves-measurment-output + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-faultsupervision-output + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-provisioning-output + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-heartbeat-output + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-performanceassurance-output # initial application configuration applicationConfig: @@ -141,7 +208,7 @@ applicationConfig: collector.service.port: "8080" collector.service.secure.port: "8443" event.transform.flag: "0" - auth.method: "certBasicAuth" + auth.method: "noAuth" header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6|demouser,$2a$10$1cc.COcqV/d3iT2N7BjPG.S6ZKv2jpb9a5MV.o7lMih/GpjJRX.Ce" services_calls: [] streams_publishes: @@ -202,18 +269,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml index 1978ae4df4..4d1eb4a595 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE VES-Mapper Microservice name: dcae-ves-mapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml index 47eb5f1f20..b886ae40d3 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml @@ -1,7 +1,8 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,16 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.4.0 +image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.5.0 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -50,19 +46,11 @@ log: path: /opt/app/VESAdapter/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: /opt/app/ves-mapper/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: false - # Dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # Service Configuration service: @@ -73,6 +61,11 @@ service: port: 80 port_protocol: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # application environments applicationEnv: LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' @@ -185,18 +178,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml index 33b129555f..afcb14aeaa 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml @@ -20,18 +20,21 @@ apiVersion: v2 description: ONAP DCAE VES OpenApi Manager name: dcae-ves-openapi-manager -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml new file mode 100644 index 0000000000..7253125d50 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{/* +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2022 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml index 1c6e3593ac..64d88119a8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,13 +46,20 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} env: - - name: ASDC_ADDRESS - value: {{ .Values.externalServices.sdc_be_https }} - - name: SCHEMA_MAP_PATH - value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SDC_ADDRESS + value: sdc-be.{{include "common.namespace" .}}:8080 + - name: SCHEMA_MAP_PATH + value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - name: schema-map mountPath: {{ .Values.schemaMap.directory }} + - name: app-config + mountPath: /app/config/ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: schema-map @@ -61,5 +69,9 @@ spec: items: - key: {{ .Values.schemaMap.filename }} path: {{ .Values.schemaMap.filename }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: app-config + configMap: + name: {{ include "common.fullname" . }}-application-config-configmap + defaultMode: 420 + optional: true + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml new file mode 100644 index 0000000000..6ff81501a4 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml index c07bd529cc..6b6ed67fe4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== #================================================================================= # Copyright (c) 2021-2022 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # Global values global: pullPolicy: Always -image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.2.0 +image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.3.1 containerPort: &svc_port 8080 service: @@ -26,8 +27,9 @@ service: - name: &port http port: *svc_port -externalServices: - sdc_be_https: "sdc-be:8443" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] schemaMap: filename: "schema-map.json" @@ -45,25 +47,25 @@ liveness: readinessCheck: wait_for: - - message-router - - sdc-be + services: + - sdc-be flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 512Mi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account @@ -71,3 +73,34 @@ serviceAccount: nameOverride: dcae-ves-openapi-manager roles: - read + +# initial application configuration +applicationConfig: + vesopenapimanager: + validation: + schemaMapPath: ${SCHEMA_MAP_PATH:./src/main/resources/schema-map.json} + eventDomainPath: /event/structure/commonEventHeader/structure/domain/value + eventSchemaReferencePath: /event/structure/stndDefinedFields/structure/schemaReference/value + distribution: + sdcAddress: ${SDC_ADDRESS:sdc-be.onap:8080} + isUseHttpsWithSDC: false + user: dcae + password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + pollingInterval: 20 + pollingTimeout: 20 + consumerGroup: dcaegen2 + environmentName: AUTO + consumerID: dcae-ves-openapi-manager + activateServerTLSAuth: false + isFilterInEmptyResources: false + +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: dcaegen2 + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/values.yaml b/kubernetes/dcaegen2-services/values.yaml index 1652f04f0f..ba3607f047 100644 --- a/kubernetes/dcaegen2-services/values.yaml +++ b/kubernetes/dcaegen2-services/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T. All rights reserved. -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ global: centralizedLoggingEnabled: true - hvVesKafkaUser: dcae-hv-ves-kafka-user ################################################################# # Filebeat Configuration Defaults. @@ -47,8 +46,6 @@ dcae-heartbeat: dcae-hv-ves-collector: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.hvVesKafkaUser }}' dcae-kpi-ms: enabled: false logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' diff --git a/kubernetes/dcaemod/.helmignore b/kubernetes/dcaemod/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/dcaemod/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/dcaemod/Chart.yaml b/kubernetes/dcaemod/Chart.yaml deleted file mode 100644 index fc15c0be2b..0000000000 --- a/kubernetes/dcaemod/Chart.yaml +++ /dev/null @@ -1,56 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD -name: dcaemod -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: dcaemod-genprocessor - version: ~12.x-0 - repository: 'file://components/dcaemod-genprocessor' - condition: dcaemod-genprocessor.enabled - - name: dcaemod-distributor-api - version: ~12.x-0 - repository: 'file://components/dcaemod-distributor-api' - condition: dcaemod-distributor-api.enabled - - name: dcaemod-designtool - version: ~12.x-0 - repository: 'file://components/dcaemod-designtool' - condition: dcaemod-designtool.enabled - - name: dcaemod-onboarding-api - version: ~12.x-0 - repository: 'file://components/dcaemod-onboarding-api' - condition: dcaemod-onboarding-api.enabled - - name: dcaemod-runtime-api - version: ~12.x-0 - repository: 'file://components/dcaemod-runtime-api' - condition: dcaemod-runtime-api.enabled - - name: dcaemod-nifi-registry - version: ~12.x-0 - repository: 'file://components/dcaemod-nifi-registry' - condition: dcaemod-nifi-registry.enabled - - name: dcaemod-healthcheck - version: ~12.x-0 - repository: 'file://components/dcaemod-healthcheck' - condition: dcaemod-healthcheck.enabled diff --git a/kubernetes/dcaemod/Makefile b/kubernetes/dcaemod/Makefile deleted file mode 100644 index 5617b0d816..0000000000 --- a/kubernetes/dcaemod/Makefile +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -HELM_REPO := local - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dcaemod/components/Makefile b/kubernetes/dcaemod/components/Makefile deleted file mode 100644 index 86bd7b9fa5..0000000000 --- a/kubernetes/dcaemod/components/Makefile +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -HELM_REPO := local - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -# Helm v2 and helm v3 uses different version format so we first try in helm v3 format -# and if it fails then we fallback to helm v2 one -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}" 2>/dev/null) -ifneq "$(findstring v3,$(HELM_VER))" "v3" - HELM_VER := $(shell $(HELM_BIN) version -c --template "{{.Client.SemVer}}") -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) helm-repo-update - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) - -helm-repo-update: -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @$(HELM_BIN) repo update -endif - -%: - @: \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml deleted file mode 100644 index 54680d2881..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml +++ /dev/null @@ -1,33 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Design Tool -name: dcaemod-designtool -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml deleted file mode 100644 index 556ac90e02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-genprocessor-http - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-distributor-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-create-bucket - image: {{ include "repositoryGenerator.image.curl" . }} - args: - - -kv - - -X - - POST - - -H - - "Content-Type: application/json" - - --data-binary - - '{"name": "dcaemod-flows"}' - - http://dcaemod-nifi-registry:18080/nifi-registry-api/buckets - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_DCAE_JARS_INDEX_URL - value: {{ .Values.config.nifiJarsIndexURL }} - - name: NIFI_DCAE_DISTRIBUTOR_API_URL - value: {{ .Values.config.distributorAPIURL }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml deleted file mode 100644 index e7f8e2da8f..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml deleted file mode 100644 index b05639b178..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml +++ /dev/null @@ -1,98 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiJarsIndexURL: http://dcaemod-genprocessor:8080/nifi-jars - distributorAPIURL: /distributor - -# application image -image: onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2 - -service: - type: ClusterIP - name: dcaemod-designtool - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-nifi-ui" - path: "/nifi" - name: "dcaemod-designtool" - port: 8080 - - baseaddr: "dcaemod-nifi-api" - path: "/nifi-api" - name: "dcaemod-designtool" - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - path: /nifi-api/system-diagnostics - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-designtool - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml deleted file mode 100644 index 2d8ab41305..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Distributor API -name: dcaemod-distributor-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml deleted file mode 100644 index f36c2af002..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-runtime-api - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-onboarding-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: NIFI_REGISTRY_URL - value: {{ .Values.config.nifiRegistryURL }} - - name : ONBOARDING_API_URL - value: {{ .Values.config.onboardingAPIURL }} - resources: {{ include "common.resources" . | nindent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml deleted file mode 100644 index 68fcf1487f..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml +++ /dev/null @@ -1,97 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiRegistryURL: http://dcaemod-nifi-registry:18080/nifi-registry-api - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.distributorapi:1.1.1 - -service: - type: ClusterIP - name: dcaemod-distributor-api - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-distributor-api" - path: "/distributor" - name: dcaemod-distributor-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - # Should have a proper readiness endpoint - # This will be OK as long as we have a small number - # of distribution targets - path: /distributor/distribution-targets - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-distributor-api - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml deleted file mode 100644 index 8cdb072951..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Genprocessor -name: dcaemod-genprocessor -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml deleted file mode 100644 index 26f6586688..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # apps run as uid 1000, gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /genprocessor-data - volumeMounts: - - mountPath: /genprocessor-data - name: genprocessor-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: GENPROC_ONBOARDING_API_HOST - value: {{ .Values.config.onboardingAPIURL }} - volumeMounts: - - mountPath: /work/ - name: genprocessor-data - resources: {{ include "common.resources" . | nindent 12 }} - - name: {{ include "common.name" . }}-http - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.httpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /www/data - name: genprocessor-data - readOnly: true - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: genprocessor-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml deleted file mode 100644 index 2831c151d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml deleted file mode 100644 index 2dafdc9c8a..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2 -httpImage: onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2 - -service: - type: ClusterIP - name: dcaemod-genprocessor - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-genprocessor-api" - path: "/nifi-jars" - name: dcaemod-genprocessor - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true -# Only the genprocessor-job writes, genprocessor-http mounts readOnly - accessMode: ReadWriteMany - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-genprocessor/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-genprocessor - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml deleted file mode 100644 index 74ad041dd0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Health Check -name: dcaemod-healthcheck -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml deleted file mode 100644 index f46dc5f287..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: 1 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/app/expected-components.json - subPath: expected-components.json - name: {{ include "common.fullname" .}}-expected-components - env: - - name: DCAE_NAMESPACE - value: {{ .Values.dcae_ns }} - - name: ONAP_NAMESPACE - value: {{ include "common.namespace" . }} - - name: HELM_RELEASE - value: {{ include "common.release" . }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-expected-components - configMap: - name: {{ include "common.release" . }}-dcaemod-expected-components - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml deleted file mode 100644 index 73661ac843..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -service: - name: dcaemod-healthcheck - type: ClusterIP - ports: - - name: http - port: 8080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 -# application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-healthcheck - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml deleted file mode 100644 index d9620bbb09..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Nifi Registry -name: dcaemod-nifi-registry -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml deleted file mode 100644 index 53f1de59bc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # nifi-registry app runs as user "nifi", uid 1000, group "nifi", gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_REGISTRY_DB_URL - value: {{ .Values.config.dbURL }} - - name: NIFI_REGISTRY_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "login") | indent 12 }} - - name: NIFI_REGISTRY_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "password") | indent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: flow-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml deleted file mode 100644 index b351573f83..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml deleted file mode 100644 index 869e3d3912..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml deleted file mode 100644 index a0bbacc7ef..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dbURL: jdbc:h2:./database/nifi-registry-primary - dbUser: nobody - dbPassword: nobody - -secrets: - - uid: "dbsecret" - type: basicAuth - login: '{{ .Values.config.dbUser }}' - password: '{{ .Values.config.dbPassword }}' - passwordPolicy: generate - -# application image -image: apache/nifi-registry:0.5.0 - -service: - type: ClusterIP - name: dcaemod-nifi-registry - ports: - - name: http - port: 18080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-nifi-registry/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-nifi-registry - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore b/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml deleted file mode 100644 index 051d942ac4..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Onboarding API -name: dcaemod-onboarding-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml deleted file mode 100644 index 5c7d1b6d0d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'PG_CONN=postgresql://${PG_USER}:${PG_PASSWORD}@${PG_ADDR}:${PG_PORT}/${PG_DB_NAME} ./start.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: PG_ADDR - value: {{ .Values.postgres.service.name2 }} - # This should be kept in secret but it needs a fix in postgres common chart - - name: PG_USER - value: postgres - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14 }} - - name: PG_PORT - value: "5432" - - name: PG_DB_NAME - value: dcae_onboarding_db - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml deleted file mode 100644 index 70067e557c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - name: &rootPassSecretName '{{ include "common.release" . }}-dcaemod-db-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcaemod-db-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgRootPassword }}' - - uid: db-primary-pass - name: &primaryPassSecretName '{{ include "common.release" . }}-dcaemod-db-primary-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgPrimaryPasswordExternalSecret) .) (hasSuffix "dcaemod-db-primary-pass" .Values.postgres.config.pgPrimaryPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgPrimaryPassword }}' - -service: - type: ClusterIP - name: dcaemod-onboarding-api - ports: - - name: http - port: 8080 -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-onboarding-api" - path: "/onboarding" - name: dcaemod-onboarding-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# postgres values--overriding defaults in the postgres subchart -postgres: - nameOverride: dcaemod-db - service: - name: dcaemod-postgres - name2: dcaemod-pg-primary - name3: dcaemod-pg-replica - suffix: svc.cluster.local - container: - name: - primary: dcaemod-pg-primary - replica: dcaemod-pg-replica - config: - pgPrimaryPasswordExternalSecret: *primaryPassSecretName - pgRootPasswordExternalSecret: *rootPassSecretName - persistence: - mountSubPath: dcaemod/data - mountInitPath: dcaemod - -# application image -image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.13.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-onboarding-api - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore b/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml deleted file mode 100644 index 6afc6a72aa..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Runtime API -name: dcaemod-runtime-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml deleted file mode 100644 index 8c964ecd02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} -{{ include "certManagerCertificate.certificate" . }} -{{ end }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml deleted file mode 100644 index 85dcc792be..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml +++ /dev/null @@ -1,47 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: TBD -name: TBD -version: TBD - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - condition: postgres.enabled - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 - repository: '@local' - condition: mongo.enabled diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml deleted file mode 100644 index 866a9ad672..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml deleted file mode 100644 index bef31a7a3a..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.microserviceDeployment" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml deleted file mode 100644 index 6ee9297869..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml deleted file mode 100644 index f024c64864..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml deleted file mode 100644 index 99160210d0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 -consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: TBD #DONE -pullPolicy: Always - -#policy sync image -dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - -#postgres enable/disable -postgres: - enabled: false - -#mongo enable/disable -mongo: - enabled: false - nameOverride: dcae-mongo - config: - dbName: dcaecommondb - service: - name: dcae-mongohost - internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true - -# log directory where logging sidecar should look for log files -# if absent, no sidecar will be deployed -#log: -# path: TBD #/opt/app/VESCollector/logs #DONE -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: TBD #/opt/app/dcae-certificate #DONE - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: TBD #DONE - -# dependencies -readinessCheck: - wait_for: - - aaf-cm - -# probe configuration #NEED DISCUSSION -readiness: - initialDelaySeconds: TBD - periodSeconds: TBD - path: TBD - scheme: TBD - port: TBD - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -serviceAccount: - nameOverride: TBD - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml deleted file mode 100644 index 7d90f5812c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/templates/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/addons/templates/*").AsConfig | indent 2 }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml deleted file mode 100644 index 39044465dc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - volumeMounts: - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/values.yaml - subPath: values.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/Chart.yaml - subPath: Chart.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/templates - name: dcae-helmgen-templates - - mountPath: {{ .Values.config.basehelmchartlocation }}/addons/templates - name: dcae-helmgen-addon-templates - env: - - name: DASHBOARD_URL - value: {{ .Values.config.dashboardURL }} - - name: DASHBOARD_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "login") | indent 14 }} - - name: DASHBOARD_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "password") | indent 14 }} - - name: ONAP_TOPICURL - value: {{ .Values.config.mrTopicURL }} - - name: ONAP_IMPORT_CLOUDIFYPLUGIN - value: {{ .Values.config.importCloudify }} - - name: ONAP_IMPORT_K8SPLUGIN - value: {{ .Values.config.importK8S }} - - name: ONAP_IMPORT_POLICYPLUGIN - value: {{ .Values.config.importPolicy }} - - name: ONAP_IMPORT_POSTGRESPLUGIN - value: {{ .Values.config.importPostgres }} - - name: ONAP_IMPORT_CLAMPPLUGIN - value: {{ .Values.config.importClamp }} - - name: ONAP_IMPORT_DMAAPPLUGIN - value: {{ .Values.config.importDMaaP }} - - name: ONAP_USEDMAAPPLUGIN - value: {{ .Values.config.useDmaapPlugin | quote }} - - name: BP_RESOURCES_CPU_LIMIT - value: {{ .Values.config.bpResourcesCpuLimit }} - - name: BP_RESOURCES_MEMORY_LIMIT - value: {{ .Values.config.bpResourcesMemoryLimit }} - - name: ARTIFACT_TYPE - value: {{ .Values.config.artifactType }} - - name: CHARTMUSEUM_BASEURL - value: {{ .Values.config.registryBaseurl }} - - name: HELM_BASE_CHART_TEMPLATE_LOCATION - value: {{ .Values.config.basehelmchartlocation }} - - name: CHARTMUSEUM_AUTH_BASIC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "login") | indent 14 }} - - name: CHARTMUSEUM_AUTH_BASIC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "password") | indent 14 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: - - name: dcae-helmgen-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - - name: dcae-helmgen-base - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - - name: dcae-helmgen-addon-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml deleted file mode 100644 index 3c527f8cd3..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml deleted file mode 100644 index 64d196d908..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dashboardURL: https://inventory:8080/dcae-service-types - # The dashboard credentials aren't actually used, since - # the inventory API and the dashboard pass-through to the - # inventory API don't require authentication. - # Since the password doesn't matter, we let it be - # generated by the common secret template. - dashboardUser: nobody - #dashboardPassword: doesntmatter - mrTopicURL: http://message-router:3904/events - importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml - importK8S: plugin:k8splugin?version=>=3.5.1,<4.0.0 - importPostgres: plugin:pgaas?version=1.3.0 - importClamp: plugin:clamppolicyplugin?version=1.1.1 - importDMaaP: plugin:dmaap?version=>=1.5.1,<2.0.0 - useDmaapPlugin: false - bpResourcesCpuLimit: 250m - bpResourcesMemoryLimit: 128Mi - artifactType: "HELM" - registryBaseurl: http://chart-museum:80 - basehelmchartlocation: /helm-gen/ - - -secrets: - - uid: "dashsecret" - type: basicAuth - login: '{{ .Values.config.dashboardUser }}' - password: '{{ .Values.config.dashboardPassword }}' - passwordPolicy: generate - - uid: registrycred - type: basicAuth - login: '{{ .Values.registryCred.username }}' - password: '{{ .Values.registryCred.password }}' - passwordPolicy: required - -# Below parameter should match setting in all clients -# including oom\kubernetes\platform\components\chartmuseum -# where ONAP registry is setup -registryCred: - username: onapinitializer - password: demo123456! - -service: - type: ClusterIP - name: dcaemod-runtime-api - ports: - - name: http - port: 9090 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - port: http - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# dependencies -#readinessCheck: -# wait_for: -# - chart-museum - - -# application image -image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.3.3 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-runtime-api - roles: - - read diff --git a/kubernetes/dcaemod/resources/expected-components.json b/kubernetes/dcaemod/resources/expected-components.json deleted file mode 100644 index 7fd644c3f8..0000000000 --- a/kubernetes/dcaemod/resources/expected-components.json +++ /dev/null @@ -1,10 +0,0 @@ -[ -{{- $ctx := . }} -{{- $components := tuple "dcaemod-designtool" "dcaemod-distributor-api" "dcaemod-genprocessor" "dcaemod-nifi-registry" "dcaemod-onboarding-api" "dcaemod-runtime-api" }} -{{- range $i, $v := $components }} -{{- if index $ctx.Values . "enabled" }} -{{- if $i }},{{ end }} -{{ $v | quote | indent 2 }} -{{- end -}} -{{- end }} -] \ No newline at end of file diff --git a/kubernetes/dcaemod/templates/configmap.yaml b/kubernetes/dcaemod/templates/configmap.yaml deleted file mode 100644 index 13b374cb04..0000000000 --- a/kubernetes/dcaemod/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcaemod-expected-components - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaemod/values.yaml b/kubernetes/dcaemod/values.yaml deleted file mode 100644 index 57e6d32693..0000000000 --- a/kubernetes/dcaemod/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -# Enable all DCAE MOD components by default -dcaemod-designtool: - enabled: true -dcaemod-distributor-api: - enabled: true -dcaemod-genprocessor: - enabled: true -dcaemod-healthcheck: - enabled: true -dcaemod-nifi-registry: - enabled: true -dcaemod-onboarding-api: - enabled: true -dcaemod-runtime-api: - enabled: true \ No newline at end of file diff --git a/kubernetes/dmaap/Chart.yaml b/kubernetes/dmaap/Chart.yaml index 8d84a97ba2..31c57e31d0 100644 --- a/kubernetes/dmaap/Chart.yaml +++ b/kubernetes/dmaap/Chart.yaml @@ -18,28 +18,24 @@ apiVersion: v2 description: ONAP DMaaP components name: dmaap -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: message-router - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/message-router' condition: message-router.enabled - - name: dmaap-bc - version: ~12.x-0 - repository: 'file://components/dmaap-bc' - condition: dmaap-bc.enabled - name: dmaap-dr-node - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/dmaap-dr-node' condition: dmaap-dr-node.enabled - name: dmaap-dr-prov - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/dmaap-dr-prov' condition: dmaap-dr-prov.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/README.md b/kubernetes/dmaap/README.md index 8c61b6a012..33362926b0 100644 --- a/kubernetes/dmaap/README.md +++ b/kubernetes/dmaap/README.md @@ -1,5 +1,6 @@ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2018 Amdocs,Bell Canada +# Copyright (c) 2023 J. F.Lucas. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +19,4 @@ ONAP DMaaP includes the following Kubernetes services: 1) message-router - a message bus for applications -2) dbc-api - an API to provision DMaaP resources -3) dmaap-data-router - an API to provision data feeds for consumers - -# Service Dependencies - -message-router depends on AAF -dmaap-data-router depends on AAF -dbc-api depends on AAF and Postgresql. \ No newline at end of file +2) dmaap-data-router - an API to provision data feeds for consumers diff --git a/kubernetes/dmaap/components/dmaap-bc/.helmignore b/kubernetes/dmaap/components/dmaap-bc/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml b/kubernetes/dmaap/components/dmaap-bc/Chart.yaml deleted file mode 100644 index 66f93cd90d..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: a Helm chart to deploy ONAP DMaaP Bus Controller (aka dmaap-bc) in Kubernetes -name: dmaap-bc -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - condition: PG.enabled - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-bc/README.md b/kubernetes/dmaap/components/dmaap-bc/README.md deleted file mode 100644 index a6115477ec..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP DMaaP Applications - -ONAP includes the following Kubernetes services available in ONAP Beijing Release (more expected in future): - -1) message-router - a message bus for applications -2) dmaap-prov - an API to provision DMaaP resources - -# Service Dependencies - -message-router depends on AAF -dmaap-prov depends on AAF and Postgresql. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env deleted file mode 100644 index 2b2ea4183a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Environment settings for starting a container -DMAAPBC_WAIT_TO_EXIT=Y -DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties deleted file mode 100644 index d464428893..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties +++ /dev/null @@ -1,277 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -##################################################### -# -# Hooks for specific environment configurations -# -##################################################### -# Indicator for whether to use AAF for authentication -UseAAF: {{ .Values.global.aafEnabled }} - -# Stub out southbound calls for Unit Test cases to run. e.g. not timeout -# Comment out in other environments to get default (No) -#UnitTest: Yes - - -##################################################### -# -# Settings for Southbound API: Datarouter -# -##################################################### - -# URI to retrieve dynamic DR configuration -ProvisioningURI: /internal/prov - -# indicator for handling feed delete: -# DeleteOnDR - means use the DR API to DELETE a feed. (default for backwards compatibility) -# SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL. Better for cloudify environments. -Feed.deleteHandling: SimulateDelete - -########################################################### -# The following properties default to match ONAP DR instance. -# However, there are some non-ONAP DR instances that require other values. -# Sets the X-DR-ON-BEHALF-OF HTTP Header value -#DR.onBehalfHeader: -# Value for the Content-Type Header in DR Feed API -#DR.feedContentType: -# Value for the Content-Type Header in DR Subscription API -#DR.subContentType: -# -# END OF properties helpful for non-ONAP DR instance. -############################################################ - -##################################################### -# -# Settings for Soutbound API: Postgresql -# -##################################################### -# flag indicates if we are using postgresql -UsePGSQL: {{ .Values.PG.enabled }} - -# postgres host name -# Need to connect to PG primary service, designated by service.name2 -DB.host: {{ .Values.postgres.service.name2 }} - -# postgres schema name -#DB.schema: {{ .Values.postgres.config.pgDatabase }} - -# postgres user name -DB.user: ${PG_USER} - -# postgres user password -DB.cred: ${PG_PASSWORD} - - -##################################################### -# -# Settings for Soutbound API: Message Router -# -##################################################### -# indicator for multi-site (locations) deployment. Give clue to buscontroller whether -# there is a need for message replication between edge and central. -# ONAP Casablanca is a single site deployment -MR.multisite: false - -# FQDN of primary message router. -# In ONAP Casablanca, there is only 1 message router service, so use that. -# In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR -MR.CentralCname: {{ .Values.dmaapMessageRouterService }} - -# Indicator for whether we want hostname verification on SSL connection to MR -MR.hostnameVerify: false - -# MR Client Delete Level thoroughness: -# 0 = don't delete -# 1 = delete from persistent store -# 2 = delete from persistent store (DB) and authorization store (AAF) -MR.ClientDeleteLevel: 1 - -# namespace of MR Topic Factory -MR.TopicFactoryNS: org.onap.dmaap.mr.topicFactory - -# AAF Role assigned to Topic Manager Identity -MR.TopicMgrRole: org.onap.dmaap-bc-topic-mgr.client - -# MR topic ProjectID (used in certain topic name generation formats) -MR.projectID: mr - -# Use Basic Authentication when provisioning topics -MR.authentication: basicAuth - -# MR topic name style (default is FQTN_LEGACY_FORMAT) -#MR.topicStyle: FQTN_LEGACY_FORMAT -# -# end of MR Related Properties -################################################################################ - - -##################################################### -# -# Settings for Southbound API: CADI -# -##################################################### -# path to cadi.properties -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -##################################################### -# -# Settings for Southbound API: AAF proxy -# -##################################################### -# URL of the AAF server -aaf.URL: {{ .Values.aafURL }} - -# TopicMgr Identity -aaf.TopicMgrUser: {{ .Values.topicMgrUser }} - -# Password for TopicMgr identity -aaf.TopicMgrPassword: {{ .Values.topicMgrPwd }} - -# Buscontroller Admin Identity -aaf.AdminUser: {{ .Values.adminUser }} - -# Admin Password -aaf.AdminPassword: {{ .Values.adminPwd }} - -# Identity that is owner of any created namespaces for topics -aaf.NsOwnerIdentity: {{ .Values.adminUser }} - - -# this overrides the Class used for Decryption. -# This allows for a plugin encryption/decryption method if needed. -# Call this Class for decryption at runtime. -#AafDecryption.Class: com.company.proprietaryDecryptor - -# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF -# Not used in ONAP, but possibly used with Decryption override class. -#CredentialCodeKeyfile: etc/LocalKey - -# -# endof AAF Properties -#################################################### - - -##################################################### -# -# Settings for authorization of DBCAPI -# -##################################################### -# Namespace for URI values for the API used to create AAF permissions -# e.g. if ApiNamespace is X.Y.dmaapbc.api then for URI /mr_clients we create AAF perm X.Y.dmaapbc.api.mr_clients -ApiNamespace: org.onap.dmaap-bc.api - -# If API authorization is required, then implement a class to enforce it. -# This overrides the Class used for API permission check. -ApiPermission.Class: org.onap.dmaap.dbcapi.authentication.AllowAll - -##################################################### -# -# Settings for Southbound API: MirrorMaker provisioning -# -##################################################### -# AAF Role of client publishing MM prov cmds -MM.ProvRole: org.onap.dmaap-bc-mm-prov.prov - -# AAF identity when publishing MM prov cmds -MM.ProvUserMechId: dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org - -# pwd for Identity used to publish MM prov cmds -MM.ProvUserPwd: demo123456! - -# AAF Role of MirrorMaker agent subscribed to prov cmds. -MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent - -##################################################### -# -# Certificate Management -# -##################################################### - -# Indicates how we are expecting certificates to be provided: -# cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file -# legacy (default) - artifacts will be installed manually or some other way and details will be in this file -CertificateManagement: cadi - -# When CertificateManagement is cadi, then this is where all the cadi properties will be. -# Note that the cadi properties include where the cert is, and the encrypted passwords to read. -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -########################################################################################### -# When CertificateManagement is legacy, we need to provide more details about cert handling: -#CertificateManagement: legacy -# the type of keystore for https (for legacy CertificateManagment only) -#KeyStoreType: jks - -# path to the keystore file (for legacy CertificateManagment only) -#KeyStoreFile: etc/keystore - -# password for the https keystore (for legacy CertificateManagment only) -#KeyStorePassword: Y@Y5f&gm?PAz,CVQL,lk[VAF -# password for the private key in the https keystore (for legacy CertificateManagment only) -#KeyPassword: changeit - -# type of truststore for https (for legacy CertificateManagment only) -#TrustStoreType: jks - -# path to the truststore for https (for legacy CertificateManagment only) -#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks - -# password for the https truststore (for legacy CertificateManagment only) -#TrustStorePassword: changeit -# -# END OF legacy CertificateManagement properties -########################################################################################### - - -##################################################### -# -# HTTP Server Configuration -# -##################################################### - -# Allow http access to dbcapi -HttpAllowed: true - -# listen to http port within this container (server) -IntHttpPort: 8080 - -# listen to https port within this container (server) -# set to 0 if no certificates are available. -IntHttpsPort: 8443 - - - -inHttpsPort: 0 - -##################################################### -# -# Deprecated -# -##################################################### -# csit: stubs out some southbound APIs for csit (deprecated) -#csit: No -# name of this DMaaP instance (deprecated) -#DmaapName: demo -# external port number for https taking port mapping into account (deprecated) -#ExtHttpsPort: 443 -# path to the file used to trigger an orderly shutdown (deprecated) -#QuiesceFile: etc/SHUTDOWN -# FQDN of DR Prov Server (deprecated) -#DR.provhost: dcae-drps.domain.not.set -# root of topic namespace (decrecated) -#topicNsRoot: org.onap.dcae.dmaap diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json deleted file mode 100644 index ca1e740dd8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - - "dcaeLayer": "kubernetes-central", - "dcaeLocationName": "san-francisco" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json b/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json deleted file mode 100644 index 23b111c8f3..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json +++ /dev/null @@ -1,11 +0,0 @@ -{ -{{ if eq .Values.fixedTopicNamespace true }} - "dmaapName": "mr", -{{- else -}} - "dmaapName": "{{ include "common.namespace" . }}", -{{- end}} - "drProvUrl": "https://dmaap-dr-prov", - "version": "1", - "topicNsRoot": "org.onap.dmaap", - "bridgeAdminTopic": "DCAE_MM_AGENT" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml deleted file mode 100644 index 7ef2dcdb8f..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "san-francisco", - "fqdn" : "dmaap-dr-node.san-francisco", - "hostName" : "dmaap-dr-node.pod", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml deleted file mode 100644 index 272cd75e52..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "edge1", - "fqdn" : "dmaap-dr-node.edge1", - "hostName" : "dmaap-dr-node.pod.edge1", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README b/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README deleted file mode 100644 index 4f5eac5ba1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each feed that needs to be provisioned in DR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json deleted file mode 100644 index 9e732d2af8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName": "san-francisco", - "fqdn": "message-router", - "topicProtocol": "http", - "topicPort": "3904" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json deleted file mode 100644 index 34197b948e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_READY", - "topicDescription": "This topic will be used to publish the PNF_READY events generated by the PNF REgistration Handler service in the DCAE platform.", - "owner": "PNFRegistrationHandler", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_READY.pub", - "action": [ - "pub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json deleted file mode 100644 index e7325794a1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_REGISTRATION", - "topicDescription": "the VES collector will be publishing pnfRegistration events in this topic", - "owner": "VEScollector", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_REGISTRATION.sub", - "action": [ - "sub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README b/kubernetes/dmaap/components/dmaap-bc/resources/topics/README deleted file mode 100644 index fbb88b97e6..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each topic that needs to be provisioned in MR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json deleted file mode 100644 index fb2c54ed4b..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "topicName": "mirrormakeragent", - "topicDescription": "the topic used to provision the MM agent whitelist", - "replicationCase": "REPLICATION_NONE", - "owner": "dmaap", - "tnxEnabled": false, - "partitionCount": "1", - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "demo@people.osaaf.org", - "action": [ - "pub", - "sub", - "view" - ] - } - ] -} \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt deleted file mode 100644 index 050853cfa2..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}-prov) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml deleted file mode 100644 index b7c52df169..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dmaap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dmaap/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dcaeLocations/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dr-nodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mr-clusters - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/mr_clusters/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-topics - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml deleted file mode 100644 index a0c315426c..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{/* -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim}} -{{- if .Values.PG.enabled }} - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-config-input - - mountPath: /config - name: {{ include "common.name" . }}-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] -# See AAF-425 for explanation of why this is needed. -# This artifact is provisioned in AAF for both pks12 and jks format and apparently -# the cadi library is not using the jks password on the jks keystore. -# So, this attempts to "fix" the credential property file until this is fixed properly. - - name: {{ include "common.name" . }}-cred-fixer - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["/bin/sh"] - args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ] -{{- end }} - - name: {{ include "common.name" . }}-postgres-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - --container-name - - message-router - - --container-name - - dmaap-dr-node - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - {{ if eq .Values.liveness.enabled true -}} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath - - name: {{ include "common.name" . }}-config - mountPath: /opt/app/config/conf/ - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: {{ include "common.name" . }}-config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml deleted file mode 100644 index ab6f573a34..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-dmaap-provisioning - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} -spec: - backoffLimit: 20 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-bc - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: dmaap-provisioning-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.clientImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DELAY - value: "0" - {{- if or (include "common.onServiceMesh" .) .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-dmaap-provisioning" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory of mountPath is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-dmaap - mountPath: /opt/app/config/dmaap/ - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - mountPath: /opt/app/config/dcaeLocations/ - - name: {{ include "common.fullname" . }}-dr-nodes - mountPath: /opt/app/config/dr_nodes/ - - name: {{ include "common.fullname" . }}-feeds - mountPath: /opt/app/config/feeds/ - - name: {{ include "common.fullname" . }}-mr-clusters - mountPath: /opt/app/config/mr_clusters/ - - name: {{ include "common.fullname" . }}-topics - mountPath: /opt/app/config/topics/ - resources: {{ include "common.resources" . | nindent 10 }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-dmaap - configMap: - name: {{ include "common.fullname" . }}-dbc-dmaap - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - configMap: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - - name: {{ include "common.fullname" . }}-dr-nodes - configMap: - name: {{ include "common.fullname" . }}-dr-nodes - - name: {{ include "common.fullname" . }}-feeds - configMap: - name: {{ include "common.fullname" . }}-feeds - - name: {{ include "common.fullname" . }}-mr-clusters - configMap: - name: {{ include "common.fullname" . }}-mr-clusters - - name: {{ include "common.fullname" . }}-topics - configMap: - name: {{ include "common.fullname" . }}-topics - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml deleted file mode 100644 index 7074e4de9a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ - -# Modifications Copyright © 2019 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml deleted file mode 100644 index e658a712a0..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml deleted file mode 100644 index 911fee85f4..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ /dev/null @@ -1,182 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -secrets: - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-dmaap-bc-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dmaap-bc-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-dmaap-bc-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dmaap-bc-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# Application configuration defaults. -################################################################# -pullPolicy: Always - -# application images -image: onap/dmaap/dmaap-bc:2.0.10 - - -# application configuration -dmaapMessageRouterService: message-router - -# change the following value to point to Windriver instance maintained -# by AAF team. -# e.g. -#aafURL: https://aaf-onap-test.osaaf.org:8095/proxy/ -aafURL: https://aaf-service:8100/ -aafLocateUrl: https://aaf-locate:8095 -topicMgrUser: dmaap-bc@dmaap-bc.onap.org -topicMgrPwd: demo123456! -adminUser: aaf_admin@people.osaaf.org -adminPwd: demo123456! - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-bc-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-bc - fqi: dmaap-bc@dmaap-bc.onap.org - publicFqdn: dmaap-bc.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - -persistence: - aafCredsPath: /opt/app/osaaf/local/ - -# for Casablanca default deployment, leave this true to -# get a topic namespace that matches MR. When set to false, -# it will compose the topic namespace using the kubernetes namespace value -fixedTopicNamespace: true - -# for quicker deployments in dev, ability to disable using postgres -PG: - enabled: true - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - port: api - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - port: api - - -service: - type: NodePort - name: dmaap-bc - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 42 - - -# application configuration override for postgres -postgres: - nameOverride: dbc-pg - service: - name: dbc-postgres - name2: dbc-pg-primary - name3: dbc-pg-replica - container: - name: - primary: dbc-pg-primary - replica: dbc-pg-replica - config: - pgUserName: dmaap_admin - pgDatabase: dmaap - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - persistence: - mountSubPath: dbc/data - mountInitPath: dbc - -ingress: - enabled: false - service: - - baseaddr: "dmaap-bc-api" - name: "dmaap-bc" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small - -securityContext: - user_id: 1000 - group_id: 101 - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-bc - roles: - - read - -wait_for_job_container: - containers: - - 'dmaap-provisioning-job' - diff --git a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml index c0a3039b3a..13e4ed7ca2 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP DMaaP Data Router Node Server name: dmaap-dr-node -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 6292be2d9d..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-node filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml index 8b8c16c287..7d773830cd 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml @@ -211,7 +211,7 @@ - + diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties index 20030a79c8..21d7c20abd 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties @@ -28,23 +28,23 @@ # #ProvisioningURL: ${DRTR_PROV_INTURL} */}} -ProvisioningURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/prov +ProvisioningURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/prov # # URL to upload PUB/DEL/EXP logs # #LogUploadURL: ${DRTR_LOG_URL} -LogUploadURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/logs +LogUploadURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/logs # # The port number for http as seen within the server # #IntHttpPort: ${DRTR_NODE_INTHTTPPORT:-8080} -IntHttpPort={{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} +IntHttpPort={{ .Values.containerPort }} # # The port number for https as seen within the server # -IntHttpsPort={{ include "common.getPort" (dict "global" . "name" "api") }} +IntHttpsPort={{ .Values.containerPort }} # # The external port number for https taking port mapping into account # @@ -90,6 +90,9 @@ NodeAuthKey = Node123! # DR_NODE DEFAULT ENABLED TLS PROTOCOLS NodeHttpsProtocols = TLSv1.1|TLSv1.2 # +# AAF CADI enabled flag +CadiEnabled = false +# # AAF type to generate permission string AAFType = org.onap.dmaap-dr.feed # @@ -99,8 +102,8 @@ AAFInstance = legacy # AAF action to generate permission string - default should be publish AAFAction = publish # -# AAF CADI enabled flag -CadiEnabled = false -# # AAF Props file path -AAFPropsFilePath = {{ .Values.certInitializer.credsPath }}/org.onap.dmaap-dr.props +AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props +# +# https security required for publish request +TlsEnabled = false \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt deleted file mode 100644 index 62aeffbe80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrNode.externalPort}} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml index 597da1734c..ce64cabc92 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml @@ -17,15 +17,10 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }}-node-props namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/node.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap @@ -34,18 +29,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drnodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml index 8f87c68f1e..f288af9b29 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml @@ -1 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml index 69f6fc1d6e..2795a2b5e5 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -24,35 +24,18 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-dr-prov - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 8 }} - name: {{ include "common.name" . }}-permission-fixer securityContext: runAsUser: 0 image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs command: ["chown","-Rf","1000:1001", "/opt/app/"] + volumeMounts: + - name: {{ include "common.fullname" . }}-spool + mountPath: {{ .Values.persistence.spool.path }} + - name: {{ include "common.fullname" . }}-event-logs + mountPath: {{ .Values.persistence.event.path }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -70,22 +53,17 @@ spec: port: {{.Values.readiness.port}} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/node.properties - name: {{ include "common.fullname" . }}-config - subPath: node.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs + volumeMounts: + - mountPath: {{ .Values.persistence.spool.path }} + name: {{ include "common.fullname" . }}-spool + - mountPath: {{ .Values.persistence.event.path }} + name: {{ include "common.fullname" . }}-event-logs + - mountPath: /opt/app/datartr/etc/node.properties + name: {{ include "common.fullname" . }}-config + subPath: node.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} @@ -93,27 +71,18 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }}-node-props items: - key: node.properties path: node.properties - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 8 }} - - name: logs - emptyDir: {} {{- if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-event-logs emptyDir: {} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index 6da3cda668..e3f0595b1f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -16,42 +16,16 @@ # Global configuration defaults. ################################################################# global: - loggingDirectory: /var/log/onap/datarouter persistence: {} - aafEnabled: true - centralizedLoggingEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-node-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-node - fqi: dmaap-dr-node@dmaap-dr.onap.org - public_fqdn: dmaap-dr.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + dmaapDrProvName: dmaap-dr-prov ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.11 +image: onap/dmaap/datarouter-node:2.1.15 pullPolicy: Always -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - # default number of instances replicaCount: 1 @@ -59,6 +33,29 @@ nodeSelector: {} affinity: {} +# application configuration - see parent values chart +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +containerPort: &svc_port 8080 + +service: + type: ClusterIP + name: dmaap-dr-node + ports: + - name: http + port: *svc_port + +ingress: + enabled: false + service: + - baseaddr: "dmaap-dr-node-api" + name: "dmaap-dr-node" + port: *svc_port + config: + ssl: "redirect" + # probe configuration parameters liveness: initialDelaySeconds: 30 @@ -66,14 +63,14 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - port: api + port: *svc_port readiness: initialDelaySeconds: 30 periodSeconds: 10 - port: api + port: *svc_port -## Persist data to a persitent volume +## Persist data to a persistent volume persistence: enabled: true mountPath: /dockerdata-nfs @@ -97,73 +94,38 @@ persistence: labels: app.kubernetes.io/component: event-logs -################################################################# -# Secrets metaconfig -################################################################# -secrets: {} - -ingress: - enabled: false - service: - - baseaddr: "dmaap-dr-node-api" - name: "dmaap-dr-node" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - # Resource Limit flavor -By Default using small flavor: small -securityContext: - user_id: 1000 - group_id: 1000 - # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} -service: - type: NodePort - name: dmaap-dr-node - useNodePortExt: true - both_tls_and_plain: true - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 94 - -config: - # dr node server configuration - dmaapDrNode: - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" - #Pods Service Account serviceAccount: nameOverride: dmaap-dr-node roles: - read -#Log configuration -log: - path: /var/log/onap +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - dmaap-dr-prov diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml index 15c6e8b25b..fb3ff1236d 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml @@ -16,25 +16,25 @@ apiVersion: v2 description: ONAP DMaaP Data Router Provisioning Server name: dmaap-dr-prov -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index c8a173c531..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-prov filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml index 73446ee3ec..9a3c383f8f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml @@ -369,15 +369,17 @@ + + + + - - - - + - \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties index 18ab41982a..a56de3cd3b 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties @@ -25,35 +25,20 @@ #Jetty Server properties -org.onap.dmaap.datarouter.provserver.http.port = {{.Values.config.dmaapDrProv.internalPort}} -org.onap.dmaap.datarouter.provserver.https.port = {{.Values.config.dmaapDrProv.internalPort2}} +org.onap.dmaap.datarouter.provserver.http.port = {{ .Values.containerPort }} org.onap.dmaap.datarouter.provserver.https.relaxation = true -org.onap.dmaap.datarouter.provserver.aafprops.path = /opt/app/osaaf/local/org.onap.dmaap-dr.props +org.onap.dmaap.datarouter.provserver.tlsenabled = false +org.onap.dmaap.datarouter.nodeserver.http.port = 8080 org.onap.dmaap.datarouter.provserver.accesslog.dir = /opt/app/datartr/logs org.onap.dmaap.datarouter.provserver.spooldir = /opt/app/datartr/spool org.onap.dmaap.datarouter.provserver.dbscripts = /opt/app/datartr/etc/misc org.onap.dmaap.datarouter.provserver.logretention = 30 -#DMAAP-597 (Tech Dept) REST request source IP auth -# relaxation to accommodate OOM kubernetes deploy -org.onap.dmaap.datarouter.provserver.isaddressauthenabled = false - # Database access org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{index .Values "mariadb-galera" "db" "name"}} org.onap.dmaap.datarouter.db.login = ${DB_USERNAME} org.onap.dmaap.datarouter.db.password = ${DB_PASSWORD} -# PROV - DEFAULT ENABLED TLS PROTOCOLS -org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2 - -# AAF config -org.onap.dmaap.datarouter.provserver.cadi.enabled = false - -org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed -org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub -org.onap.dmaap.datarouter.provserver.aaf.instance = legacy -org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish -org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt deleted file mode 100644 index 8d29cf9e66..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.config.dmaapDrProv.servicetype }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.config.dmaapDrProv.servicetype }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrProv.externalPort}} -{{- else if contains "ClusterIP" .Values.config.dmaapDrProv.servicetype }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{.Values.config.dmaapDrProv.internalPort}} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml index 9031cce423..1cd524423e 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml @@ -36,42 +36,3 @@ data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} --- {{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drpubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_pubs/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drsubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_subs/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml index 325ca9f2a7..197638e654 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml @@ -15,95 +15,46 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} - hostname: {{ .Values.global.dmaapDrProvName }} - initContainers: - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- if .Values.global.aafEnabled }} - - {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] - - {{ end }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.config.dmaapDrProv.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} env: - name: DB_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "login") | indent 12 }} - name: DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/provserver.properties - name: {{ include "common.fullname" . }}-config - subPath: provserver.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs - resources: -{{ include "common.resources" . }} + volumeMounts: + - mountPath: /opt/app/datartr/etc/provserver.properties + name: {{ include "common.fullname" . }}-config + subPath: provserver.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -112,13 +63,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -128,8 +74,4 @@ spec: - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml index 8f87c68f1e..f288af9b29 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml @@ -1 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml index 1a0143f9ae..306b0f17eb 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml @@ -14,51 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ default "dmaap-dr-prov" .Values.global.dmaapDrProvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - msb.onap.org/service-info: '[ - { - "serviceName": "{{ .Values.global.dmaapDrProvName }}", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.global.dmaapDrProvExtPort2 }}", - "visualRange":"1" - } - ]' - -spec: - type: {{ .Values.config.dmaapDrProv.servicetype }} - ports: - {{- if eq .Values.config.dmaapDrProv.servicetype "NodePort" -}} - {{- if .Values.global.allow_http }} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort }} - name: {{ .Values.config.dmaapDrProv.portName }} - {{- end}} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- else -}} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - name: {{ .Values.config.dmaapDrProv.portName }} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 59b0765f28..c13ba57c83 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -16,11 +16,9 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - loggingDirectory: /opt/app/datartr/logs - persistence: {} - centralizedLoggingEnabled: true mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows DMAAP-DR to instantiate its own mariadb-galera cluster localCluster: false service: mariadb-galera @@ -42,14 +40,9 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.11 +image: onap/dmaap/datarouter-prov:2.1.15 pullPolicy: Always -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - # default number of instances replicaCount: 1 @@ -57,53 +50,54 @@ nodeSelector: {} affinity: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true +containerPort: &svc_port 8080 -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs +service: + type: ClusterIP + name: dmaap-dr-prov + ports: + - name: &port http + port: *svc_port ingress: enabled: false service: - baseaddr: "dmaap-dr-prov-api" name: "dmaap-dr-prov" - port: 8443 - plain_port: 8080 + port: *svc_port config: ssl: "redirect" -config: - # dr provisioning server configuration - dmaapDrProv: - servicetype: NodePort - internalPort: 8080 - internalPort2: 8443 - portName: dr-prov-port - portName2: dr-prov-port2 - nodePort: 59 - nodePort2: 69 - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job' + +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: *svc_port + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: *svc_port # mariadb-galera configuration mariadb-galera: nameOverride: &dbServer dmaap-dr-db replicaCount: 1 + mariadbOperator: + galera: + enabled: false db: name: &mysqlDbName datarouter user: datarouter @@ -123,55 +117,37 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: dmaap-dr-mariadb-init - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-prov-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! -# aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-prov - fqi: dmaap-dr-prov@dmaap-dr.onap.org - publicFqdn: dmaap-dr.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - + serviceAccount: + nameOverride: dmaap-dr-mariadb-init # Resource Limit flavor -By Default using small flavor: small -securityContext: - user_id: 1000 - group_id: 1000 - # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +#Pods Security Context +securityContext: + user_id: 1000 + group_id: 1000 + #Pods Service Account serviceAccount: nameOverride: dmaap-dr-prov roles: - read - -#Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/dmaap/components/message-router/Chart.yaml b/kubernetes/dmaap/components/message-router/Chart.yaml index ba7beaf7f7..adc0599e94 100644 --- a/kubernetes/dmaap/components/message-router/Chart.yaml +++ b/kubernetes/dmaap/components/message-router/Chart.yaml @@ -18,21 +18,18 @@ apiVersion: v2 description: ONAP Message Router name: message-router -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties index a9b0a012a4..2dea84d289 100755 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties +++ b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties @@ -30,7 +30,7 @@ ## if you want to change request.required.acks it can take this one value #kafka.request.required.acks=-1 kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }} +config.zk.servers=127.0.0.1:{{ .Values.zkTunnelService.internalPort }} consumer.timeout.ms=100 zookeeper.connection.timeout.ms=6000 zookeeper.session.timeout.ms=20000 @@ -124,26 +124,10 @@ default.replicas=3 #100mb maxcontentlength=10000 - ############################################################################## -#AAF Properties -msgRtr.namespace.aaf=org.onap.dmaap.mr.topic -msgRtr.topicfactory.aaf=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -enforced.topic.name.AAF=org.onap.dmaap.mr +##AAF Properties forceAAF=false useCustomAcls=false -transidUEBtopicreqd=false -defaultNSforUEB=org.onap.dmaap.mr -############################################################################## -#Mirror Maker Agent - -msgRtr.mirrormakeradmin.aaf=org.onap.dmaap.mr.mirrormaker|*|admin -msgRtr.mirrormakeruser.aaf=org.onap.dmaap.mr.mirrormaker|*|user -msgRtr.mirrormakeruser.aaf.create=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -msgRtr.mirrormaker.timeout=15000 -msgRtr.mirrormaker.topic=org.onap.dmaap.mr.mirrormakeragent -msgRtr.mirrormaker.consumergroup=mmagentserver -msgRtr.mirrormaker.consumerid=1 kafka.max.poll.interval.ms=300000 kafka.heartbeat.interval.ms=60000 diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml b/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml deleted file mode 100644 index 3ee9fc5fe6..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml +++ /dev/null @@ -1,4 +0,0 @@ -jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:{{ .Values.prometheus.jmx.targetPort }}/jmxrmi -lowercaseOutputName: true -lowercaseOutputLabelNames: true -ssl: false \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties deleted file mode 100644 index cd88565ed0..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties +++ /dev/null @@ -1,165 +0,0 @@ -############################################################################### -# ============LICENSE_START======================================================= -# org.onap.dmaap -# ================================================================================ -# Copyright (c) 2017-201 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2021 Orange Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -############################################################################### -#This file is used for defining AJSC system properties for different configuration schemes and is necessary for the AJSC to run properly. -#The sys-props.properties file is used for running locally. The template.sys-props.properties file will be used when deployed -#to a SOA/CSI Cloud node. For more information, - -#AJSC System Properties. The following properties are required for ALL AJSC services. If you are adding System Properties for your -#particular service, please add them AFTER all AJSC related System Properties. - -#For Cadi Authorization, use value="authentication-scheme-1 -CadiAuthN=authentication-scheme-1 - -#For Basic Authorization, use value="authentication-scheme-1 -authN=authentication-scheme-2 - -#Persistence used for AJSC meta-data storage. For most environments, "file" should be used. -ajscPersistence=file - -# If using hawtio for local development, these properties will allow for faster server startup and usage for local development -hawtio.authenticationEnabled=false -hawtio.config.pullOnStartup=false - -#Removes the extraneous restlet console output -org.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade - -#server.host property to be enabled for local DME2 related testing -#server.host= - -#Enable/disable SSL (values=true/false). This property also determines which protocol to use (https if true, http otherwise), to register services into GRM through DME2. -enableSSL=false - -#Enable/disable csi logging (values=true/false). This can be disabled during local development -csiEnable=false - -#Enable/disable CAET This can be disabled during local development -isCAETEnable=true - -#Enable/disable EJB Container -ENABLE_EJB=false - -#Enable/disable OSGI -isOSGIEnable=false - -#Configure JMS Queue (WMQ/TIBCO) -JMS_BROKER=WMQ - -#Generate/Skip api docs -isApiDoc=false - - -#WMQ connectivity -JMS_WMQ_PROVIDER_URL=aftdsc://AFTUAT/34.07/-84.28 -JMS_WMQ_CONNECTION_FACTORY_NAME=aftdsc://AFTUAT/?service=CSILOG,version=1.0,bindingType=fusionBus,envContext=Q,Q30A=YES -JMS_WMQ_INITIAL_CONNECTION_FACTORY_NAME=com.att.aft.jms.FusionCtxFactory -JMS_WMQ_AUDIT_DESTINATION_NAME=queue:///CSILOGQL.M2E.DASHBOARD01.NOT.Q30A -JMS_WMQ_PERF_DESTINATION_NAME=queue:///CSILOGQL.M2E.PERFORMANCE01.NOT.Q30A - -#CSI related variables for CSM framework -csm.hostname=d1a-m2e-q112m2e1.edc.cingular.net - -#Enable/disable endpoint level logging (values=true/false). This can be disabled during local development -endpointLogging=false - -#Enable/disable trail logging and trail logging summary -enableTrailLogging=false -enableTrailLoggingSummary=false - -#SOA_CLOUD_ENV is used to register your service with dme2 and can be turned off for local development (values=true/false). -SOA_CLOUD_ENV=false - -#CONTINUE_ON_LISTENER_EXCEPTION will exit the application if there is a DME2 exception at the time of registration. -CONTINUE_ON_LISTENER_EXCEPTION=false - -#Jetty Container ThreadCount Configuration Variables -AJSC_JETTY_ThreadCount_MIN=1 -AJSC_JETTY_ThreadCount_MAX=200 -AJSC_JETTY_IDLETIME_MAX=3000 - -#Camel Context level default threadPool Profile configuration -CAMEL_POOL_SIZE=10 -CAMEL_MAX_POOL_SIZE=20 -CAMEL_KEEP_ALIVE_TIME=60 -CAMEL_MAX_QUEUE_SIZE=1000 - -#File Monitor configurations -ssf_filemonitor_polling_interval=5 -ssf_filemonitor_threadpool_size=10 - -#GRM/DME2 System Properties -AFT_DME2_CONN_IDLE_TIMEOUTMS=5000 -AJSC_ENV=SOACLOUD - -SOACLOUD_NAMESPACE=org.onap.dmaap.dev -SOACLOUD_ENV_CONTEXT=TEST -SOACLOUD_PROTOCOL=http -SOACLOUD_ROUTE_OFFER=DEFAULT - -AFT_LATITUDE=23.4 -AFT_LONGITUDE=33.6 -AFT_ENVIRONMENT=AFTUAT - -#Restlet Component Default Properties -RESTLET_COMPONENT_CONTROLLER_DAEMON=true -RESTLET_COMPONENT_CONTROLLER_SLEEP_TIME_MS=100 -RESTLET_COMPONENT_INBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_MIN_THREADS=1 -RESTLET_COMPONENT_MAX_THREADS=10 -RESTLET_COMPONENT_LOW_THREADS=8 -RESTLET_COMPONENT_MAX_QUEUED=0 -RESTLET_COMPONENT_MAX_CONNECTIONS_PER_HOST=-1 -RESTLET_COMPONENT_MAX_TOTAL_CONNECTIONS=-1 -RESTLET_COMPONENT_OUTBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_PERSISTING_CONNECTIONS=true -RESTLET_COMPONENT_PIPELINING_CONNECTIONS=false -RESTLET_COMPONENT_THREAD_MAX_IDLE_TIME_MS=60000 -RESTLET_COMPONENT_USE_FORWARDED_HEADER=false -RESTLET_COMPONENT_REUSE_ADDRESS=true - -#Externalized jar and properties file location. In CSI environments, there are a few libs that have been externalized to aid -#in CSTEM maintenance of the versions of these libs. The most important to the AJSC is the DME2 lib. Not only is this lib necessary -#for proper registration of your AJSC service on a node, but it is also necessary for running locally as well. Another framework -#used in CSI envs is the CSM framework. These 2 framework libs are shown as "provided" dependencies within the pom.xml. These -#dependencies will be copied into the target/commonLibs folder with the normal "mvn clean package" goal of the AJSC. They will -#then be added to the classpath via AJSC_EXTERNAL_LIB_FOLDERS system property. Any files (mainly property files) that need -#to be on the classpath should be added to the AJSC_EXTERNAL_PROPERTIES_FOLDERS system property. The default scenario when -#testing your AJSC service locally will utilize the target/commonLibs directory for DME2 and CSM related artifacts and 2 -#default csm properties files will be used for local testing with anything CSM knorelated. -#NOTE: we are using maven-replacer-plugin to replace "(doubleUnderscore)basedir(doubleUnderscore)" with ${basedir} within the -#target directory for running locally. Multiple folder locations can be separated by the pipe ("|") character. -#Please, NOTE: for running locally, we are setting this system property in the antBuild/build.xml "runLocal" target and in the -#"runAjsc" profile within the pom.xml. This is to most effectively use maven variables (${basedir}, most specifically. Therefore, -#when running locally, the following 2 properties should be set within the profile(s) themselves. -#Example: target/commonLibs|target/otherLibs -#AJSC_EXTERNAL_LIB_FOLDERS=__basedir__/target/commonLibs -#AJSC_EXTERNAL_PROPERTIES_FOLDERS=__basedir__/ajsc-shared-config/etc -#End of AJSC System Properties - -#Service System Properties. Please, place any Service related System Properties below. - -#msgrtr content length and error message -#100mb -maxcontentlength=10000 -msg_size_exceeds=Message size exceeds the default size. -forceAAF=false -cadi_prop_files={{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.properties \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml deleted file mode 100644 index 49196e441b..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml +++ /dev/null @@ -1,138 +0,0 @@ - - - - - - - - - true - - - /etc/runner-web.xml - /etc/ajsc-override-web.xml - true - /extJars/json-20131018.jar - - - false - - - - - - - - - - - - - - - - - - - - - - - - - - /extApps - 10 - true - - - - - - - - - - - - - - - - - - - - - - - {{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.jks - ${KEYSTORE_PASSWORD} - ${KEYSTORE_PASSWORD} - true - - - - - - - - - - - - http/1.1 - - - - - - - - - - - - - - - - - - - - - - 30000 - - - - - - - - - - false - - - diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties deleted file mode 100644 index 596a316d77..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties +++ /dev/null @@ -1,19 +0,0 @@ -aaf_locate_url=https://aaf-locate.onap:8095 -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 -aaf_env=DEV -aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm - -cadi_truststore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -cadi_keyfile={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.keyfile - -cadi_alias={{ .Values.certInitializer.fqi }} -cadi_keystore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD_P12} -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US - -cadi_loglevel=INFO -cadi_protocols=TLSv1.1,TLSv1.2 -cadi_latitude=37.78187 -cadi_longitude=-122.26147 diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml deleted file mode 100644 index 116c52499f..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml +++ /dev/null @@ -1,108 +0,0 @@ - - - - - - contextConfigLocation - /WEB-INF/spring-servlet.xml, - classpath:applicationContext.xml - - - - - spring.profiles.default - nooauth - - - - org.springframework.web.context.ContextLoaderListener - - - - ManagementServlet - ajsc.ManagementServlet - - - - WriteableRequestFilter - com.att.ajsc.csi.writeablerequestfilter.WriteableRequestFilter - - - - InterceptorFilter - ajsc.filters.InterceptorFilter - - preProcessor_interceptor_config_file - /etc/PreProcessorInterceptors.properties - - - postProcessor_interceptor_config_file - /etc/PostProcessorInterceptors.properties - - - - - - - DMaaPAuthFilter - DMaaPAuthFilter - org.onap.dmaap.util.DMaaPAuthFilter - - cadi_prop_files - {{.Values.certInitializer.appMountPath}}/local/cadi.properties - - - - - - RestletServlet - ajsc.restlet.RestletSpringServlet - - org.restlet.component - restletComponent - - - - - CamelServlet - ajsc.servlet.AjscCamelServlet - - - - - springSecurityFilterChain - org.springframework.web.filter.DelegatingFilterProxy - - - - spring - org.springframework.web.servlet.DispatcherServlet - 1 - - - - spring - / - - - diff --git a/kubernetes/dmaap/components/message-router/templates/NOTES.txt b/kubernetes/dmaap/components/message-router/templates/NOTES.txt deleted file mode 100644 index a44d0f76ee..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/message-router/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/templates/configmap.yaml index c999b79183..3f786ad950 100644 --- a/kubernetes/dmaap/components/message-router/templates/configmap.yaml +++ b/kubernetes/dmaap/components/message-router/templates/configmap.yaml @@ -40,45 +40,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-etc - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/etc/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-sys-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/sys-props.properties").AsConfig . | indent 2 }} ---- -{{- if .Values.prometheus.jmx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-prometheus-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/jmx-mrservice-prometheus.yml").AsConfig . | indent 2 }} ---- -{{ end }} + diff --git a/kubernetes/dmaap/components/message-router/templates/ingress.yaml b/kubernetes/dmaap/components/message-router/templates/ingress.yaml new file mode 100644 index 0000000000..a90bf83c07 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/templates/ingress.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/secrets.yaml b/kubernetes/dmaap/components/message-router/templates/secrets.yaml deleted file mode 100644 index 50dda8a8f9..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ (.Files.Glob "resources/config/dmaap/mykey").AsSecrets | indent 2 }} -type: Opaque ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml index 904c160c70..ede6cb025e 100644 --- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,103 +23,14 @@ metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} + replicas: 1 template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0); - cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config - name: jetty - - mountPath: /config-input - name: etc - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} containers: - {{- if .Values.prometheus.jmx.enabled }} - - name: prometheus-jmx-exporter - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.prometheus.jmx.image }}:{{ .Values.prometheus.jmx.imageTag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - java - - -XX:+UnlockExperimentalVMOptions - - -XX:+UseCGroupMemoryLimitForHeap - - -XX:MaxRAMFraction=1 - - -XshowSettings:vm - - -jar - - jmx_prometheus_httpserver.jar - - {{ .Values.prometheus.jmx.port | quote }} - - /etc/jmx-kafka/jmx-mrservice-prometheus.yml - ports: - - containerPort: {{ .Values.prometheus.jmx.port }} - resources: - volumeMounts: - - name: jmx-config - mountPath: /etc/jmx-kafka - {{- end }} - - name: srimzi-zk-entrance - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zookeeper.entrance.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/stunnel/stunnel_run.sh - ports: - - containerPort: {{ .Values.global.zkTunnelService.internalPort }} - name: zoo - protocol: TCP - env: - - name: LOG_LEVEL - value: debug - - name: STRIMZI_ZOOKEEPER_CONNECT - value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.global.zkTunnelService.internalPort }}' - livenessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /etc/cluster-operator-certs/ - name: cluster-operator-certs - - mountPath: /etc/cluster-ca-certs/ - name: cluster-ca-certs - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - cp /jetty-config/ajsc-jetty.xml /appl/dmaapMR1/etc/ - cp /jetty-config/cadi.properties {{ .Values.certInitializer.appMountPath }}/local/cadi.properties - /bin/sh /appl/startup.sh - {{- end }} ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -148,58 +60,71 @@ spec: failureThreshold: {{ .Values.startup.failureThreshold }} env: - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "mr-kafka-admin-secret" "key" "sasl.jaas.config") | indent 12 }} + valueFrom: + secretKeyRef: + name: strimzi-kafka-admin + key: sasl.jaas.config - name: SASLMECH value: scram-sha-512 - name: enableCadi - value: "{{ .Values.global.aafEnabled }}" + value: "true" - name: useZkTopicStore value: "false" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties - subPath: MsgRtrApi.properties - name: appprops - - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml - subPath: logback.xml - name: logback - {{- if .Values.global.aafEnabled }} - - mountPath: /appl/dmaapMR1/etc/runner-web.xml - subPath: runner-web.xml - name: etc - - mountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops/sys-props.properties - subPath: sys-props.properties - name: sys-props - - mountPath: /jetty-config - name: jetty - {{- end }} + volumeMounts: + - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties + subPath: MsgRtrApi.properties + name: appprops + - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml + subPath: logback.xml + name: logback resources: {{ include "common.resources" . | nindent 12 }} + - name: {{ .Values.zkTunnelService.name }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zkTunnelService.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /opt/stunnel/stunnel_run.sh + ports: + - containerPort: {{ .Values.zkTunnelService.internalPort }} + name: {{ .Values.zkTunnelService.portName }} + protocol: {{ .Values.zkTunnelService.protocol }} + env: + - name: LOG_LEVEL + value: {{ .Values.zkTunnelService.logLevel }} + - name: STRIMZI_ZOOKEEPER_CONNECT + value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.zkTunnelService.internalPort }}' + livenessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /etc/cluster-operator-certs/ + name: cluster-operator-certs + - mountPath: /etc/cluster-ca-certs/ + name: cluster-ca-certs serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: appprops configMap: name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap - - name: etc - configMap: - name: {{ include "common.fullname" . }}-etc - name: logback configMap: name: {{ include "common.fullname" . }}-logback-xml-configmap - {{- if .Values.prometheus.jmx.enabled }} - - name: jmx-config - configMap: - name: {{ include "common.fullname" . }}-prometheus-configmap - {{- end }} - - name: sys-props - configMap: - name: {{ include "common.fullname" . }}-sys-props - - name: jetty - emptyDir: {} - name: cluster-operator-certs secret: defaultMode: 288 @@ -208,8 +133,7 @@ spec: secret: defaultMode: 288 secretName: {{ include "common.release" . }}-strimzi-cluster-ca-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -226,7 +150,7 @@ spec: matchLabels: app.kubernetes.io/name: {{ include "common.name" . }} ports: - - port: {{ .Values.global.zkTunnelService.internalPort }} - protocol: TCP + - port: {{ .Values.zkTunnelService.internalPort }} + protocol: {{ .Values.zkTunnelService.protocol }} policyTypes: - Ingress diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index 80460ba570..ab6a31ee2e 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,93 +19,58 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - zkTunnelService: - type: ClusterIP - name: zk-tunnel-svc - portName: tcp-zk-tunnel - internalPort: 2181 - -zookeeper: - entrance: - image: scholzj/zoo-entrance:latest - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-mr-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-mr - fqi: dmaapmr@mr.dmaap.onap.org - public_fqdn: mr.dmaap.onap.org - cadi_longitude: "-122.26147" - cadi_latitude: "37.78187" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops - fqi_namespace: org.onap.dmaap.mr - aaf_add_config: | - cd {{ .Values.credsPath }} - echo "*** change jks password into shell safe one" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as jks keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** store the passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "KEYSTORE_PASSWORD_P12=${cadi_keystore_password_p12}" >> mycreds.prop - echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> mycreds.prop - echo "*** give ownership of files to the user" - chown -R 1000 . + persistence: {} ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/dmaap-mr:1.4.3 +image: onap/dmaap/dmaap-mr:1.4.4 pullPolicy: Always -secrets: - - uid: mr-kafka-admin-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate +#Strimzi zookeeper_tunnel config +zkTunnelService: + type: ClusterIP + name: zk-tunnel-svc + portName: tcp-zk-tunnel + protocol: TCP + internalPort: 2181 + logLevel: debug + image: scholzj/zoo-entrance:latest -# flag to enable debugging - application support required -debugEnabled: false +nodeSelector: {} -# application configuration -config: - someConfig: blah +affinity: {} -# default number of instances -replicaCount: 1 +containerPort: &svc_port 3904 -nodeSelector: {} +service: + type: ClusterIP + name: message-router + ports: + - name: api + port: *svc_port + port_protocol: http -affinity: {} +ingress: + enabled: false + service: + - baseaddr: "dmaap-mr-api" + name: "message-router" + port: *svc_port + config: + ssl: "redirect" # probe configuration parameters liveness: initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + periodSeconds: 30 + timeoutSeconds: 15 successThreshold: 1 failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container - port: api + port: *svc_port enabled: true readiness: @@ -113,51 +79,16 @@ readiness: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 - port: api + port: *svc_port +# periodSeconds is set longer to avoid DMaaP 429 error startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 90 + periodSeconds: 30 + timeoutSeconds: 15 successThreshold: 1 failureThreshold: 70 - port: api - -service: - type: NodePort - name: message-router - both_tls_and_plain: true - msb: - - port: 3904 - url: "/" - version: "v1" - protocol: "REST" - visualRange: "1" - ports: - - name: api - port: 3905 - plain_port: 3904 - port_protocol: http - nodePort: 26 - -prometheus: - jmx: - enabled: false - image: solsson/kafka-prometheus-jmx-exporter@sha256 - imageTag: 6f82e2b0464f50da8104acd7363fb9b995001ddff77d248379f8788e78946143 - port: 5556 - targetPort: 5555 - -ingress: - enabled: false - service: - - baseaddr: "dmaap-mr-api" - name: "message-router" - port: 3905 - plain_port: 3904 - config: - ssl: "redirect" - + port: *svc_port # Resource Limit flavor -By Default using small flavor: small @@ -165,18 +96,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 8540903193..0000000000 --- a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase \ No newline at end of file diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml index 1cb537b5f4..6faab9cdbc 100644 --- a/kubernetes/dmaap/values.yaml +++ b/kubernetes/dmaap/values.yaml @@ -18,41 +18,14 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - clientImage: onap/dmaap/dbc-client:2.0.10 - -#Global DMaaP app config - allow_http: false - - #Logstash config - logstashServiceName: log-ls - logstashPort: 5044 - - #dmaap-dr-prov server configuration - dmaapDrProvName: dmaap-dr-prov - dmaapDrProvExtPort2: 443 - dmaapDrProvExtPort: 80 - - #AAF global config overrides - aafEnabled: true - - #Strimzi config - kafkaStrimziAdminUser: strimzi-kafka-admin - + persistence: {} #Component overrides message-router: enabled: true - config: - jaasConfExternalSecret: '{{ .Values.global.kafkaStrimziAdminUser }}' -dmaap-bc: - enabled: true dmaap-dr-node: enabled: true dmaap-dr-prov: enabled: true -dmaap-strimzi: - enabled: true #Pods Service Account serviceAccount: diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 347c7689e4..f60a2d35d0 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -51,8 +51,8 @@ generate_overrides() { END=${SUBCHART_NAMES[index+1]} if [ "$START" = "global:" ]; then echo "global:" > $GLOBAL_OVERRIDES - cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ - | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES + cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ + | sed '1d;$d' >> $GLOBAL_OVERRIDES else SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [ -d "$SUBCHART_DIR" ]; then @@ -271,7 +271,7 @@ deploy() { #So cache the results to prevent repeated execution. ALL_HELM_RELEASES=$(helm ls -q) - for subchart in strimzi cassandra mariadb-galera postgres ; do + for subchart in strimzi roles-wrapper repository-wrapper cassandra mariadb-galera postgres ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml SUBCHART_ENABLED=0 @@ -296,8 +296,8 @@ deploy() { done fi done - - + # Disable delay + DELAY="false" for subchart in * ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml diff --git a/kubernetes/helm/starters/onap-app/Chart.yaml b/kubernetes/helm/starters/onap-app/Chart.yaml index abad5ca4ee..c8f618a984 100644 --- a/kubernetes/helm/starters/onap-app/Chart.yaml +++ b/kubernetes/helm/starters/onap-app/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: name: -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/helm/starters/onap-app/templates/deployment.yaml b/kubernetes/helm/starters/onap-app/templates/deployment.yaml index fc76c1ff6d..c4d0eb5d3f 100644 --- a/kubernetes/helm/starters/onap-app/templates/deployment.yaml +++ b/kubernetes/helm/starters/onap-app/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: #Example environment variable passed to container # - name: DEBUG_FLAG # value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true #Example config file mount into container +# volumeMounts: # - mountPath: /opt/app/application.properties # name: {{ include "common.name" . }}-config # subPath: application.properties - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -89,16 +85,12 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime #Example config file mount into container +# volumes: # - name: {{ include "common.fullname" . }}-config # configMap: # name: {{ include "common.fullname" . }}-configmap # items: # - key: application.properties # path: application.properties - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/helm/starters/onap-app/values.yaml b/kubernetes/helm/starters/onap-app/values.yaml index 702bfb2a73..eef745d940 100644 --- a/kubernetes/helm/starters/onap-app/values.yaml +++ b/kubernetes/helm/starters/onap-app/values.yaml @@ -85,8 +85,8 @@ resources: {} # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" diff --git a/kubernetes/holmes/Chart.yaml b/kubernetes/holmes/Chart.yaml index 971d81c614..7a8a23a42f 100644 --- a/kubernetes/holmes/Chart.yaml +++ b/kubernetes/holmes/Chart.yaml @@ -18,26 +18,26 @@ apiVersion: v2 description: ONAP DCAE HOLMES name: holmes -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster - name: postgres-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.postgres.localCluster + condition: global.postgres.globalCluster - name: holmes-rule-mgmt - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/holmes-rule-mgmt' - name: holmes-engine-mgmt - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/holmes-engine-mgmt' diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml index 1aa4726253..df7f2c0c72 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 appVersion: "2.0" description: Holmes Engine Management name: holmes-engine-mgmt -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml index f818dfd3b0..34c4024059 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml @@ -2,11 +2,6 @@ server: port: 9102 servlet: context-path: /api/holmes-engine-mgmt/v1 - ssl: - key-store: /opt/onap/conf/holmes.keystore - key-store-password: holmes - #PKCS12 - key-store-type: JKS logging: config: classpath:logback-spring.xml diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml index 9e62ccf2f7..9a16390856 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml @@ -19,10 +19,8 @@ server: applicationContextPath: / adminContextPath: /admin connector: - type: https + type: http port: 9102 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes validateCerts: false validatePeers: false diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml index dd7bb4552e..641f032ce4 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml @@ -33,7 +33,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} - name: {{ include "common.name" . }}-env-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -53,6 +58,16 @@ spec: value: {{ .Values.config.pgConfig.dbHost }} - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" + - name: AAI_ADDR + value: aai + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_USERNAME + value: {{ .Values.config.aai.username }} + - name: AAI_PASSWORD + value: {{ .Values.config.aai.password }} + - name: NAMESPACE + value: {{ include "common.namespace" . }} volumeMounts: - mountPath: /hemconfig name: {{ include "common.fullname" . }}-config @@ -64,7 +79,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {{ include "common.resources" . | nindent 10 }} ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: {{ include "common.fullname" . }}-env-config mountPath: /opt/hemconfig - name: {{ include "common.fullname" . }}-config @@ -119,7 +134,7 @@ spec: - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: {{ include "common.fullname" . }}-config configMap: defaultMode: 422 @@ -127,5 +142,4 @@ spec: - name: {{ include "common.fullname" . }}-env-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml index ce3035e5da..bd06bcd1ee 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml @@ -20,50 +20,19 @@ ################################################################# global: nodePortPrefixExt: 302 - msbProtocol: https + msbProtocol: http msbServiceName: msb-iag - msbPort: 443 + msbPort: 80 + postgres: + localCluster: false ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/holmes/engine-management:11.0.0 +image: onap/holmes/engine-management:12.0.1 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-engine-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-engine-mgmt - fqi: holmes-engine-mgmt@holmes-engine-mgmt.onap.org - fqi_namespace: org.onap.holmes-engine-mgmt - public_fqdn: holmes-engine-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - ################################################################# # Secrets metaconfig ################################################################# @@ -90,20 +59,41 @@ config: dbUser: admin dbUserPassword: admin # dbUserCredsExternalSecret + msb: + serviceName: msb-iag + port: 80 + aai: + aaiPort: 80 + username: AAI + password: AAI service: type: ClusterIP name: holmes-engine-mgmt ports: - - name: https-rest + - name: http-rest port: &svc_port 9102 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-engine-mgmt", + "version": "v1", + "url": "/api/holmes-engine-mgmt/v1", + "path":"/api/holmes-engine-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9102", + "enable_ssl": false + } + ]{{ end }} # probe configuration parameters liveness: initialDelaySeconds: 10 periodSeconds: 10 path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP port: *svc_port enabled: true @@ -111,27 +101,35 @@ readiness: initialDelaySeconds: 30 periodSeconds: 30 path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP port: *svc_port # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 500m - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 250m - memory: 500Mi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 500m - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 250m - memory: 1Gi + cpu: "1" + memory: "2Gi" unlimited: {} +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: holmes-engine-mgmt diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml index 628f5c6828..4263913b25 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 appVersion: "2.0" description: Holmes Rule Management name: holmes-rule-mgmt -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml index 18cf3b4966..2ff0fa6d52 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml @@ -2,11 +2,6 @@ server: port: 9101 servlet: context-path: /api/holmes-rule-mgmt/v1 - ssl: - key-store: /opt/onap/conf/holmes.keystore - key-store-password: holmes - #PKCS12 - key-store-type: JKS logging: config: classpath:logback-spring.xml diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml index 89269dede8..3b7218855a 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml @@ -13,10 +13,8 @@ server: applicationContextPath: / adminContextPath: /admin connector: - type: https + type: http port: 9101 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes validateCerts: false validatePeers: false diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml index 21a96568cb..e71187c557 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml @@ -32,7 +32,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} - name: {{ include "common.name" . }}-env-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -52,6 +57,8 @@ spec: value: {{ .Values.config.pgConfig.dbHost }} - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" + - name: NAMESPACE + value: {{ include "common.namespace" . }} volumeMounts: - mountPath: /hrmconfig name: {{ include "common.fullname" . }}-general-config @@ -61,8 +68,9 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 10 }} ports: {{ include "common.containerPorts" . | nindent 8 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: {{ include "common.fullname" . }}-env-config mountPath: /opt/hrmconfig - name: {{ include "common.fullname" . }}-rule-config @@ -117,7 +125,7 @@ spec: - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: {{ include "common.fullname" . }}-general-config configMap: defaultMode: 422 @@ -129,5 +137,4 @@ spec: - name: {{ include "common.fullname" . }}-env-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml index bd84c249c9..a7e0e25a17 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. +# Modifications 2023 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,50 +21,19 @@ ################################################################# global: nodePortPrefixExt: 302 - msbProtocol: https + msbProtocol: http msbServiceName: msb-iag - msbPort: 443 + msbPort: 80 + postgres: + localCluster: false ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/holmes/rule-management:11.0.0 +image: onap/holmes/rule-management:12.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-rule-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-rule-mgmt - fqi: holmes-rule-mgmt@holmes-rule-mgmt.onap.org - fqi_namespace: org.onap.holmes-rule-mgmt - public_fqdn: holmes-rule-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - ################################################################# # Secrets metaconfig ################################################################# @@ -95,12 +65,40 @@ service: type: NodePort name: holmes-rule-mgmt ports: - - name: https-rest + - name: http-rest port: &svc_port 9101 nodePort: 92 - - name: https-ui - port: 9104 + - name: http-ui + port: &ui_port 9104 nodePort: 93 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-rule-mgmt", + "version": "v1", + "url": "/api/holmes-rule-mgmt/v1", + "path":"/api/holmes-rule-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9101", + "enable_ssl": false + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: "holmes-rule-mgmt" + name: "holmes-rule-mgmt" + path: "/api/holmes-rule-mgmt/v1" + port: *svc_port + - baseaddr: "holmes-rule-mgmt-ui" + name: "holmes-rule-mgmt" + path: "/iui/holmes" + port: *ui_port + config: + ssl: "redirect" # probe configuration parameters liveness: @@ -109,33 +107,41 @@ liveness: periodSeconds: 10 path: /api/holmes-rule-mgmt/v1/healthcheck enabled: true - scheme: HTTPS + scheme: HTTP readiness: initialDelaySeconds: 30 port: *svc_port periodSeconds: 30 path: /api/holmes-rule-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 250m - memory: 1024Mi + cpu: "1" + memory: "1Gi" requests: - cpu: 250m - memory: 256Mi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 500m - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 500m - memory: 512Mi + cpu: "1" + memory: "1Gi" unlimited: {} +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: holmes-rule-mgmt diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml index a536380bd5..4ede9a15fd 100644 --- a/kubernetes/holmes/values.yaml +++ b/kubernetes/holmes/values.yaml @@ -22,7 +22,11 @@ global: #Service Names of the postgres db to connect to. #Override it to dbc-pg if localCluster is enabled. postgres: + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: name: pgset name2: &postgres tcp-pgset-primary @@ -43,7 +47,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate - ################################################################# # Application configuration defaults. ################################################################# @@ -84,6 +87,8 @@ postgres-init: # pgPrimaryPassword: password # pgUserPassword: password # pgRootPassword: password + serviceAccount: + nameOverride: holmes-postgres-init holmes-engine-mgmt: config: diff --git a/kubernetes/log/.helmignore b/kubernetes/log/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/log/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/log/Chart.yaml b/kubernetes/log/Chart.yaml deleted file mode 100644 index 16df2f8953..0000000000 --- a/kubernetes/log/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging ElasticStack -name: log -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: log-elasticsearch - version: ~12.x-0 - repository: 'file://components/log-elasticsearch' - - name: log-kibana - version: ~12.x-0 - repository: 'file://components/log-kibana' - - name: log-logstash - version: ~12.x-0 - repository: 'file://components/log-logstash' diff --git a/kubernetes/log/Makefile b/kubernetes/log/Makefile deleted file mode 100644 index eea1b7aefb..0000000000 --- a/kubernetes/log/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/log/components/Makefile b/kubernetes/log/components/Makefile deleted file mode 100644 index f09e21e75c..0000000000 --- a/kubernetes/log/components/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/log/components/log-elasticsearch/Chart.yaml b/kubernetes/log/components/log-elasticsearch/Chart.yaml deleted file mode 100644 index fad4c67e45..0000000000 --- a/kubernetes/log/components/log-elasticsearch/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Elasticsearch -name: log-elasticsearch -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml b/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml deleted file mode 100644 index d39fc97e0d..0000000000 --- a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml +++ /dev/null @@ -1,146 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Name of the Elasticsearch cluster. -# A node can only join a cluster when it shares its cluster.name with all the other nodes in the cluster. -# The default name is elasticsearch, but you should change it to an appropriate name which describes the -# purpose of the cluster. -# -cluster.name: "onap-log" -# -# The port that other nodes in the cluster should use when communicating with this node. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_port:$transport.publish_port -# -# The host address to publish for nodes in the cluster to connect to. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_host:$transport.publish_host -# -# ------------------------------------ Node ------------------------------------ -# -# It is better to provide different meaningfull names fot different elastic nodes. -# By default, Elasticsearch will take the 7 first character of the randomly generated uuid used as the node id. -# Note that the node id is persisted and does not change when a node restarts -# -#node.name: $node.name -# -# Add custom attributes to the node: -# -#node.attr.rack: r1 -# -# ----------------------------------- Paths ------------------------------------ -# -# The location of the data files of each index / shard allocated on the node. Can hold multiple locations separated by coma. -# In production, we should not keep this default to "/elasticsearch/data", as on upgrading Elasticsearch, directory structure -# may change & can deal to data loss. -path.data: /usr/share/elasticsearch/data -# -# Elasticsearch's log files location. In production, we should not keep this default to "/elasticsearch/logs", -# as on upgrading Elasticsearch, directory structure may change. -path.logs: /usr/share/elasticsearch/logs -# -# ----------------------------------- Memory ----------------------------------- -# -# It is vitally important to the health of your node that none of the JVM is ever swapped out to disk. -# Lock the memory on startup. -# -bootstrap.memory_lock: false -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a -# non-loopback address. -network.host: 0.0.0.0 -# -# Set a custom port for HTTP: If required, default is 9200-9300 -# -#http.port: $http.port -# -# For more information, consult the network module documentation. -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when new node is started -# To form a cluster with nodes on other servers, you have to provide a seed list of other nodes in the cluster -# that are likely to be live and contactable. -# By default, Elasticsearch will bind to the available loopback addresses and will scan ports 9300 to 9305 to try -# to connect to other nodes running on the same server. -# -#$discovery.zen.ping.unicast.hosts -# -# This setting tells Elasticsearch to not elect a master unless there are enough master-eligible nodes -# available. Only then will an election take place. -# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): -discovery.zen.minimum_master_nodes: 1 -# -# For more information, consult the zen discovery module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true -# Set a custom port for HTTP: If required, default is 9200-9300 -# This is used for REST APIs -http.port: {{.Values.service.externalPort}} -# Port to bind for communication between nodes. Accepts a single value or a range. -# If a range is specified, the node will bind to the first available port in the range. -# Defaults to 9300-9400. -# More info: -transport.tcp.port: {{.Values.service.externalPort2}} - -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. - -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. - -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. - -xpack.security.enabled: false -#Set to false to disable X-Pack security features. - -xpack.watcher.enabled: false -#Set to false to disable Watcher. diff --git a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt b/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt deleted file mode 100644 index ab908cd309..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml b/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml deleted file mode 100644 index fe0349ede9..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml b/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml deleted file mode 100644 index b778af8564..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /bin/sh - - -c - - | - sysctl -w vm.max_map_count=262144 - mkdir -p /logroot/elasticsearch/logs - mkdir -p /logroot/elasticsearch/data - chmod -R 777 /logroot/elasticsearch - chown -R root:root /logroot - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - securityContext: - privileged: true - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: init-sysctl - volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /logroot/ - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort2 }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/elasticsearch/config/elasticsearch.yml - name: {{ include "common.fullname" . }}-config - subPath: elasticsearch.yml - - mountPath: /usr/share/elasticsearch/data/ - name: {{ include "common.fullname" . }}-data - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: elasticsearch.yml - path: elasticsearch.yml - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-logs - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPathLogs }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml b/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml b/kubernetes/log/components/log-elasticsearch/templates/pv.yaml deleted file mode 100644 index 9d4093db11..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml b/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml deleted file mode 100644 index 6ae4eea0d3..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/service.yaml b/kubernetes/log/components/log-elasticsearch/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-elasticsearch/values.yaml b/kubernetes/log/components/log-elasticsearch/values.yaml deleted file mode 100644 index 74cf4ed8c2..0000000000 --- a/kubernetes/log/components/log-elasticsearch/values.yaml +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: elasticsearch/elasticsearch:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 120 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: log/elasticsearch/data - mountSubPathLogs: log - -service: - type: NodePort - name: log-es - externalPort: 9200 - internalPort: 9200 - nodePort: 54 - type2: ClusterIP - name2: log-es-tcp - externalPort2: 9300 - internalPort2: 9300 - -ingress: - enabled: false - service: - - baseaddr: "log-es-api" - name: "log-es" - port: 9200 - config: - ssl: "none" -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-kibana/Chart.yaml b/kubernetes/log/components/log-kibana/Chart.yaml deleted file mode 100644 index fc557127ba..0000000000 --- a/kubernetes/log/components/log-kibana/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Kibana -name: log-kibana -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-kibana/resources/config/README.txt b/kubernetes/log/components/log-kibana/resources/config/README.txt deleted file mode 100644 index 2863c1d5e5..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/README.txt +++ /dev/null @@ -1 +0,0 @@ -"kibana-onboarding.json" file contains initial setup of Kibana obtained using Elasticdump tool. \ No newline at end of file diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json b/kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana.yml b/kubernetes/log/components/log-kibana/resources/config/kibana.yml deleted file mode 100644 index 377f3c7b65..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/kibana.yml +++ /dev/null @@ -1,129 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. -xpack.reporting.enabled: false -#Set to false to disable X-Pack reporting features. -xpack.security.enabled: false -#Set to false to disable X-Pack security features. -xpack.watcher.enabled: false -#Set to false to disable Watcher. -# Kibana is served by a back end server. This setting specifies the port to use. -server.port: {{.Values.service.externalPort}} - -# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -server.host: "0" - -# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects -# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests -# to Kibana. This setting cannot end in a slash. -#server.basePath: "" - -# The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 - -# The Kibana server's name. This is used for display purposes. -server.name: "Kibana" - -# The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}" -# When this setting's value is true Kibana uses the hostname specified in the server.host -# setting. When the value of this setting is false, Kibana uses the hostname of the host -# that connects to this Kibana instance. -#elasticsearch.preserveHost: true - -# Kibana uses an index in Elasticsearch to store saved searches, visualizations and -# dashboards. Kibana creates a new index if the index doesn't already exist. -#kibana.index: ".kibana" - -# The default application to load. -#kibana.defaultAppId: "discover" - -# If your Elasticsearch is protected with basic authentication, these settings provide -# the username and password that the Kibana server uses to perform maintenance on the Kibana -# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which -# is proxied through the Kibana server. -elasticsearch.username: "elastic" -elasticsearch.password: "changeme" -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the Kibana server to the browser. -#server.ssl.enabled: $server_ssl_enabled -#server.ssl.certificate: $server_ssl_certificate -#server.ssl.key: $server_ssl_key - -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files validate that your Elasticsearch backend uses the same key files. -#elasticsearch.ssl.certificate: $elasticsearch_ssl_certificate -#elasticsearch.ssl.key: $elasticsearch_ssl_key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your Elasticsearch instance. -#elasticsearch.ssl.certificateAuthorities: $elasticsearch_ssl_certificateAuthorities - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -#elasticsearch.ssl.verificationMode: $elasticsearch_ssl_verificationMode - -# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of -# the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value -# must be a positive integer. -#elasticsearch.requestTimeout: 30000 - -# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side -# headers, set this value to [] (an empty list). -#elasticsearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. -#elasticsearch.customHeaders: {} - -# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. -#elasticsearch.shardTimeout: 0 - -# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. -#elasticsearch.startupTimeout: 5000 - -# Specifies the path where Kibana creates the process ID file. -#pid.file: /var/run/kibana.pid - -# Enables you specify a file where Kibana stores log output. -#logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -#logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -#logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -#logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -#ops.interval: 5000 - -# The default locale. This locale can be used in certain circumstances to substitute any missing -# translations. -#i18n.defaultLocale: "en" diff --git a/kubernetes/log/components/log-kibana/templates/NOTES.txt b/kubernetes/log/components/log-kibana/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-kibana/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-kibana/templates/configmap.yaml b/kubernetes/log/components/log-kibana/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-kibana/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-kibana/templates/deployment.yaml b/kubernetes/log/components/log-kibana/templates/deployment.yaml deleted file mode 100644 index 5e3dc98f84..0000000000 --- a/kubernetes/log/components/log-kibana/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - args: - - --input=/config/kibana-onboarding.json - - --output=http://{{.Values.config.elasticsearchServiceName}}.{{ include "common.namespace" . }}:{{.Values.config.elasticsearchPort}}/.kibana - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.elasticdumpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-elasticdump - volumeMounts: - - mountPath: /config/kibana-onboarding.json - name: {{ include "common.fullname" . }} - subPath: kibana-onboarding.json - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - readinessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/kibana/config/ - name: {{ include "common.fullname" . }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: kibana.yml - path: kibana.yml - - key: kibana-onboarding.json - path: kibana-onboarding.json - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-kibana/templates/ingress.yaml b/kubernetes/log/components/log-kibana/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-kibana/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-kibana/templates/service.yaml b/kubernetes/log/components/log-kibana/templates/service.yaml deleted file mode 100644 index c53dc03368..0000000000 --- a/kubernetes/log/components/log-kibana/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-kibana/values.yaml b/kubernetes/log/components/log-kibana/values.yaml deleted file mode 100644 index 276bfea3b7..0000000000 --- a/kubernetes/log/components/log-kibana/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# Elasticdump image -elasticdumpImage: taskrabbit/elasticsearch-dump - -# application image -image: kibana/kibana:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-kibana - externalPort: 5601 - internalPort: 5601 - nodePort: 53 - -ingress: - enabled: false - service: - - baseaddr: "log-kibana-ui" - name: "log-kibana" - port: 5601 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-logstash/Chart.yaml b/kubernetes/log/components/log-logstash/Chart.yaml deleted file mode 100644 index 0c51886c82..0000000000 --- a/kubernetes/log/components/log-logstash/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Logstash -name: log-logstash -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-logstash/resources/config/logstash.yml b/kubernetes/log/components/log-logstash/resources/config/logstash.yml deleted file mode 100644 index 7c3bd8f851..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/logstash.yml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -http.host: "0.0.0.0" -pipeline.workers: 3 -## Path where pipeline configurations reside -path.config: /usr/share/logstash/pipeline - -## Type of queue : memeory based or file based -#queue.type: persisted -## Size of queue -#queue.max_bytes: 1024mb -## Setting true makes logstash check periodically for change in pipeline configurations -config.reload.automatic: true - -## xpack configurations -#xpack.monitoring.elasticsearch.url: ["http://10.247.186.12:9200", "http://10.247.186.13:9200"] -#xpack.monitoring.elasticsearch.username: elastic -#xpack.monitoring.elasticsearch.password: changeme -xpack.monitoring.enabled: false diff --git a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf b/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf deleted file mode 100644 index b224bf3173..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf +++ /dev/null @@ -1,276 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -input { - beats { - - ## Add a id to plugin configuration. Can be anything unique. - id => 'beats_plugin' - - ######## Connection configurations ######## - - ## The port to listen on. - port => {{.Values.service.externalPort}} - - ## Close Idle clients after the specified time in seconds. Default is 60 seconds - #client_inactivity_timeout => 60 - - ######## Security configurations ######## - - ## Enable encryption. Default false. - #ssl => $filebeat_ssl - - ## ssl certificate path. - #ssl_certificate => $filebeat_ssl_certificate - - ## SSL key to use. - #ssl_key => $filebeat_ssl_key - - ##SSL key passphrase to use. - #ssl_key_passphrase => $filebeat_ssl_key_passphrase - - ## Value can be any of: none, peer, force_peer. - #ssl_verify_mode => $filebeat_ssl_verify_mode - - ## Time in milliseconds for an incomplete ssl handshake to timeout. Default is 10000 ms. - #ssl_handshake_timeout => 10000 - include_codec_tag => false - } -} - - -filter { - grok { - break_on_match => false - match => { - "source" => ["/var/log/onap/(?[^/]+)/", - "/var/log/onap/%{GREEDYDATA:componentLogFile}" - ] - } - } - - # Filter for log4j xml events - if "" in [message] { - - #mutate { add_field => { "orgmsg_log4j" => "%{message}" } } # Copy of orginal msg for debug - - #Filter to parse xml event and retrieve data - xml { - source => "message" - store_xml => false - remove_namespaces => true - target => "xml_content" - xpath => [ "/event/message/text()", "logmsg" , - "/event/@logger", "Logger", - "/event/@timestamp", "Timestamp", - "/event/@level", "loglevel", - "/event/@thread", "Thread", - "/event/throwable/text()", "Exceptionthrowable", - "/event/NDC/text()", "NDCs", - "/event/properties/data/@name","mdcname", - "/event/properties/data/@value","mdcvalue"] - - } - - #Ruby filter to iterate and separate MDCs into documents - ruby { - code => ' - $i = 0 - $num = 0 - if event.get("[mdcname]") - $num = event.get("[mdcname]").length - end - if $num != 0 - until $i > $num do - if event.get("[mdcname]").at($i) and event.get("[mdcvalue]").at($i) - event.set(event.get("[mdcname]").at($i), event.get("[mdcvalue]").at($i)) - end - $i=$i+1 - end - end - ' - } - - #Validations - if [Exceptionthrowable] - { - mutate { - replace => { - "exceptionmessage" => "%{[Exceptionthrowable]}" - } - } - } - - if [NDCs] - { - mutate { - replace => { - "NDC" => "%{[NDCs]}" - } - } - } - - mutate { - replace => { - "Logger" =>"%{[Logger]}" - "logmsg" =>"%{[logmsg]}" - "Timestamp" =>"%{[Timestamp]}" - "loglevel" =>"%{[loglevel]}" - "message" => "%{logmsg}" - "Thread" => "%{[Thread]}" - } - remove_field => ["mdcname", "mdcvalue", "logmsg","Exceptionthrowable","NDCs"] - } - - if [Timestamp] - { - date { - match => ["Timestamp", "UNIX_MS"] - target => "Timestamp" - } - } - } - # Filter for logback events - else { - - #mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug - - mutate { - gsub => [ - 'message', ' = ', '=', - 'message', '= ', '=null', - 'message', '=\t', '=null\t', #This null is followed by a tab - 'message', '\t$', '\t' - ] - } - # The grok below parses the message field for all current logback patterns used by oom components. - # Example logback pattern: %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg - # Example grok pattern: %{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message} - # Use the following command to find all logback patterns in oom directory: find oom -name "logback*xml" -exec grep "property.*attern.*value" {} \;|sort|uniq - grok { - match => { - "message" => [ - "%{TIMESTAMP_ISO8601:Timestamp}\\t[%{GREEDYDATA:Thread}]\\t%{GREEDYDATA:loglevel}\\t%{JAVACLASS:Logger}\\t%{GREEDYDATA:MDCs}\\t%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:TargetVirtualEntity}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Timer}\|\[%{GREEDYDATA:caller}\]\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:ErrorCode}\|%{GREEDYDATA:ErrorDesc}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ClassName}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}", - "\[%{TIMESTAMP_ISO8601:Timestamp}\|%{LOGLEVEL:loglevel}\|%{GREEDYDATA:Logger}\|%{GREEDYDATA:Thread}\] %{GREEDYDATA:message}" - ] - } - overwrite => ["message"] - } - # The MDCs are key value pairs that are seperated by "," or "\t". Extra space characters are trimmed from the keys and values. - kv { - source => "MDCs" - field_split => ",\t" - trim_key => "\s" - trim_value => "\s" - remove_field => [ "MDCs" ] - } - - if (![Timestamp] and [EndTimestamp]) { - mutate { add_field => { "Timestamp" => "%{EndTimestamp}" } } - } - date { - match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ] - target => "Timestamp" - } - - mutate { - remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8"] - } - - if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") { - #Parse kvps in message - kv { - field_split => "\s" - trim_key => "\s" - trim_value => "\s" - } - - #If Request Id is missing and DID is present use as RequestId - if (![RequestId] and [DID] =~ /.+/) { - mutate { add_field => { "RequestId" => "%{DID}" } } - } - } - - } #Close else statement for logback events -} #Close filter - - -output { - elasticsearch { - id => 'onap_es' - - ######### Security configurations ######### - - user => "elastic" - password => "changeme" - - ## The .cer or .pem file to validate the server's certificate - #cacert => $es_cacert - - ## The keystore used to present a certificate to the server. It can be either .jks or .p12 - #keystore => $es_keystore - #keystore_password => $es_keystore_password - - ## Enable SSL/TLS secured communication to Elasticsearch cluster. - ## Default is not set which in that case depends on the protocol specidfied in hosts list - #ssl => $es_ssl - - ## Option to validate the server's certificate. Default is true - #ssl_certificate_verification => $es_ssl_certificate_verification - - ## The JKS truststore to validate the server's certificate. - #truststore => $es_truststore - #truststore_password => $es_truststore_password - - - ######### Elasticsearchcluster and host configurations ######### - - ##can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered - hosts => ["http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}"] - - - ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false. - sniffing => true - - ## How long to wait, in seconds, between sniffing attempts. Default is 5 seconds. - #sniffing_delay => 5 - - ## Set the address of a forward HTTP proxy. - #proxy => $es_proxy - - ##Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives - #path => $es_path - - ######### Elasticsearch request configurations ######### - - ## This setting defines the maximum sized bulk request Logstash will make. - #flush_size => ? - - ######### Document configurations ######### - - index => "logstash-%{+YYYY.MM.dd}" - document_type => "logs" - - ## This can be used to associate child documents with a parent using the parent ID. - #parent => "abcd' - } -} - diff --git a/kubernetes/log/components/log-logstash/templates/NOTES.txt b/kubernetes/log/components/log-logstash/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-logstash/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-logstash/templates/configmap.yaml b/kubernetes/log/components/log-logstash/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-logstash/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-logstash/templates/deployment.yaml b/kubernetes/log/components/log-logstash/templates/deployment.yaml deleted file mode 100644 index 92817fac88..0000000000 --- a/kubernetes/log/components/log-logstash/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/logstash/config/ - name: {{ include "common.fullname" . }}-config - - mountPath: /usr/share/logstash/pipeline/ - name: {{ include "common.fullname" . }}-pipeline - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - items: - - key: logstash.yml - path: logstash.yml - - name: {{ include "common.fullname" . }}-pipeline - configMap: - name: {{ include "common.fullname" . }} - items: - - key: onap-pipeline.conf - path: onap-pipeline.conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-logstash/templates/ingress.yaml b/kubernetes/log/components/log-logstash/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-logstash/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-logstash/templates/service.yaml b/kubernetes/log/components/log-logstash/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-logstash/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-logstash/values.yaml b/kubernetes/log/components/log-logstash/values.yaml deleted file mode 100644 index 0ffb32aa68..0000000000 --- a/kubernetes/log/components/log-logstash/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: logstash/logstash:5.4.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -# 30+ logs/sec will saturate a single node to 6+ vCores -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-ls - externalPort: 5044 - internalPort: 5044 - nodePort: 55 - type2: ClusterIP - name2: log-ls-http - externalPort2: 9600 - internalPort2: 9600 -ingress: - enabled: false - service: - - baseaddr: "log-ls-api" - name: "log-ls" - port: 5044 - - baseaddr: "log-ls-http-api" - name: "log-ls" - port: 9600 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 0.5 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/values.yaml b/kubernetes/log/values.yaml deleted file mode 100644 index ddcf5235cd..0000000000 --- a/kubernetes/log/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 diff --git a/kubernetes/modeling/Chart.yaml b/kubernetes/modeling/Chart.yaml index c70962627a..72e6b880d2 100644 --- a/kubernetes/modeling/Chart.yaml +++ b/kubernetes/modeling/Chart.yaml @@ -17,9 +17,9 @@ apiVersion: v2 description: ONAP Modeling (Modeling) name: modeling -version: 12.0.0 +version: 13.0.0 dependencies: - name: modeling-etsicatalog - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/modeling-etsicatalog' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml index a90c700a8e..80db5cc8b9 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml @@ -17,26 +17,26 @@ apiVersion: v2 description: ONAP Modeling - Etsicatalog name: modeling-etsicatalog -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.mariadbGalera.localCluster + condition: global.mariadbGalera.globalCluster - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml index 72eced7710..fbe3e0ca07 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml @@ -41,8 +41,13 @@ spec: - command: - /app/ready.py args: - - -j - - "{{ include "common.release" . }}-{{ include "common.name" . }}-config-job" +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ index .Values "mariadb-galera" "service" "name" }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-etsicatalog-db-config-job +{{- end }} env: - name: NAMESPACE valueFrom: @@ -52,8 +57,15 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-job-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{ if .Values.config.msb_enabled }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for.msb ) | indent 6 | trim }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{ end }} - command: - /bin/sh @@ -121,16 +133,12 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-etsicatalog mountPath: /service/modeling/etsicatalog/static - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/modeling/etsicatalog/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -151,9 +159,6 @@ spec: {{- else }} emptyDir: {} {{- end }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig @@ -161,5 +166,4 @@ spec: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml index 21abce3dda..83cfde8a7b 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml @@ -22,8 +22,13 @@ global: mountPath: /dockerdata-nfs mariadbGalera: - #This flag allows Modeling to instantiate its own mariadb-galera cluster + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera @@ -32,10 +37,8 @@ global: readinessCheck: wait_for: - msb: - name: msb - containers: - - msb-iag + services: + - msb-iag ################################################################# # Secrets metaconfig @@ -54,6 +57,7 @@ secrets: mariadb-galera: db: + user: &dbUser etsicatalog externalSecret: *dbSecretName name: &mysqlDbName etsicatalog nameOverride: &modeling-db modeling-db @@ -67,13 +71,19 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *modeling-db + replicaCount: 1 + mariadbOperator: + galera: + enabled: false mariadb-init: config: userCredentialsExternalSecret: *dbSecretName mysqlDatabase: *mysqlDbName # nameOverride should be the same with common.name - nameOverride: modeling-etsicatalog + nameOverride: etsicatalog-db + serviceAccount: + nameOverride: etsicatalog-db ################################################################# # Application configuration defaults. @@ -97,7 +107,7 @@ config: #application configuration user password about mariadb db: - userName: etsicatalog + userName: *dbUser # userPassword: password # userCredentialsExternalSecret: some-secret @@ -168,18 +178,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/Chart.yaml b/kubernetes/msb/Chart.yaml index 84b1a0f523..67db10be70 100644 --- a/kubernetes/msb/Chart.yaml +++ b/kubernetes/msb/Chart.yaml @@ -18,28 +18,28 @@ apiVersion: v2 description: ONAP MicroServices Bus name: msb -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: kube2msb - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/kube2msb' - name: msb-consul - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/msb-consul' - name: msb-discovery - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/msb-discovery' - name: msb-eag - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/msb-eag' - name: msb-iag - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/msb-iag' diff --git a/kubernetes/msb/components/kube2msb/Chart.yaml b/kubernetes/msb/components/kube2msb/Chart.yaml index b72e4fb921..2e823e69b8 100644 --- a/kubernetes/msb/components/kube2msb/Chart.yaml +++ b/kubernetes/msb/components/kube2msb/Chart.yaml @@ -16,12 +16,12 @@ apiVersion: v2 description: ONAP MicroServices Bus Kube2MSB Registrator name: kube2msb -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/kube2msb/templates/deployment.yaml b/kubernetes/msb/components/kube2msb/templates/deployment.yaml index ed99deea43..b83d4c9d99 100644 --- a/kubernetes/msb/components/kube2msb/templates/deployment.yaml +++ b/kubernetes/msb/components/kube2msb/templates/deployment.yaml @@ -41,7 +41,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -61,12 +68,7 @@ spec: value: {{ .Values.config.kubeMasterUrl }} - name: MSB_URL value: {{tpl $.Values.config.discoveryUrl .}} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -75,9 +77,4 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/kube2msb/values.yaml b/kubernetes/msb/components/kube2msb/values.yaml index d2a0a15f49..bdc7c06b3b 100644 --- a/kubernetes/msb/components/kube2msb/values.yaml +++ b/kubernetes/msb/components/kube2msb/values.yaml @@ -55,16 +55,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 500m - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/msb/components/msb-consul/Chart.yaml b/kubernetes/msb/components/msb-consul/Chart.yaml index d75b7292e0..356ca84972 100644 --- a/kubernetes/msb/components/msb-consul/Chart.yaml +++ b/kubernetes/msb/components/msb-consul/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Consul name: msb-consul -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-consul/templates/deployment.yaml b/kubernetes/msb/components/msb-consul/templates/deployment.yaml index d03829d89d..d229590da0 100644 --- a/kubernetes/msb/components/msb-consul/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-consul/templates/deployment.yaml @@ -68,14 +68,10 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/docker-entrypoint.sh name: entrypoint subPath: docker-entrypoint.sh - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -86,12 +82,8 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: entrypoint configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0777 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-consul/values.yaml b/kubernetes/msb/components/msb-consul/values.yaml index 01f246689f..37ccf988d8 100644 --- a/kubernetes/msb/components/msb-consul/values.yaml +++ b/kubernetes/msb/components/msb-consul/values.yaml @@ -69,18 +69,18 @@ flavor: small resources: small: limits: - cpu: 20m - memory: 100Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 10m - memory: 50Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 40m - memory: 200Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 20m - memory: 100Mi + cpu: "1" + memory: "1Gi" unlimited: {} securityContext: diff --git a/kubernetes/msb/components/msb-discovery/Chart.yaml b/kubernetes/msb/components/msb-discovery/Chart.yaml index a29970ae35..545bc0082a 100644 --- a/kubernetes/msb/components/msb-discovery/Chart.yaml +++ b/kubernetes/msb/components/msb-discovery/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Discovery name: msb-discovery -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml b/kubernetes/msb/components/msb-discovery/templates/deployment.yaml index d9f902be4d..4f286535dc 100644 --- a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-discovery/templates/deployment.yaml @@ -40,7 +40,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - msb-consul env: - name: NAMESPACE @@ -51,6 +51,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -75,13 +82,9 @@ spec: - name: CONSUL_IP value: msb-consul.{{ include "common.namespace" . }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/discover-works/logs name: {{ include "common.fullname" . }}-logs - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -101,8 +104,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-discovery/values.yaml b/kubernetes/msb/components/msb-discovery/values.yaml index 678dde79fa..b8c361a296 100644 --- a/kubernetes/msb/components/msb-discovery/values.yaml +++ b/kubernetes/msb/components/msb-discovery/values.yaml @@ -69,18 +69,18 @@ flavor: small resources: small: limits: - cpu: 400m - memory: 400Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 200m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 800m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 400m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml index 55dd2401c7..d42c99388d 100644 --- a/kubernetes/msb/components/msb-eag/Chart.yaml +++ b/kubernetes/msb/components/msb-eag/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Internal API Gateway name: msb-eag -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml index 30c0a80209..62bbf4272a 100644 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml @@ -21,11 +21,4 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} + diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml index c6cf2d150d..da2afc3bfc 100644 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml @@ -24,11 +24,10 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -39,6 +38,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -49,13 +55,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,19 +72,9 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -91,20 +87,10 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index 1c3f3131d6..49f0be78f5 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -18,41 +18,11 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-eag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-eag - fqi: msb-eag@msb-eag.onap.org - fqi_namespace: org.onap.msb-eag - public_fqdn: msb-eag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.4.0 +image: onap/msb/msb_apigateway:1.6.0 pullPolicy: Always istioSidecar: true @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-eag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-eag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '84' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-eag-ui" name: "msb-eag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" @@ -110,18 +76,18 @@ flavor: small resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 100m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 400m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 200m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml index d015cceee5..50fa020c8b 100644 --- a/kubernetes/msb/components/msb-iag/Chart.yaml +++ b/kubernetes/msb/components/msb-iag/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Internal API Gateway name: msb-iag -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml index 30c0a80209..7214c8a95f 100644 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml @@ -21,11 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml index c6cf2d150d..da2afc3bfc 100644 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml @@ -24,11 +24,10 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -39,6 +38,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -49,13 +55,13 @@ spec: {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -66,19 +72,9 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -91,20 +87,10 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index 4bb772da16..19b500a62c 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -18,41 +18,11 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-iag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-iag - fqi: msb-iag@msb-iag.onap.org - fqi_namespace: org.onap.msb-iag - public_fqdn: msb-iag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.4.0 +image: onap/msb/msb_apigateway:1.6.0 pullPolicy: Always istioSidecar: true @@ -82,15 +52,12 @@ readiness: service: type: NodePort name: msb-iag - both_tls_and_plain: true # for liveness and readiness probe only # internalPort: - internalPort: 443 - internalPlainPort: 80 + internalPort: 80 ports: - name: msb-iag - port: 443 - plain_port: 80 + port: 80 port_protocol: http nodePort: '83' @@ -99,8 +66,7 @@ ingress: service: - baseaddr: "msb-iag-ui" name: "msb-iag" - port: 443 - plain_port: 80 + port: 80 config: ssl: "redirect" @@ -110,18 +76,18 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 400Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 50m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 200m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml index 2b49b60025..48a3b9631a 100644 --- a/kubernetes/multicloud/Chart.yaml +++ b/kubernetes/multicloud/Chart.yaml @@ -18,43 +18,43 @@ apiVersion: v2 description: ONAP multicloud broker name: multicloud -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: multicloud-fcaps - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-fcaps' condition: multicloud-fcaps.enabled - name: multicloud-k8s - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-k8s' condition: multicloud-k8s.enabled - name: multicloud-pike - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-pike' condition: multicloud-pike.enabled - name: multicloud-prometheus - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-prometheus' condition: multicloud-prometheus.enabled - name: multicloud-starlingx - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-starlingx' condition: multicloud-starlingx.enabled - name: multicloud-vio - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-vio' condition: multicloud-vio.enabled - name: multicloud-windriver - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-windriver' condition: multicloud-windriver.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml index 3378830f3e..b825f67969 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack fcaps Plugin name: multicloud-fcaps -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml index 2750f5f145..7c850a4463 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml @@ -16,91 +16,73 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: fcaps-log - - mountPath: /opt/fcaps/fcaps/pub/config/log.yml - name: fcaps-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-fcaps/v1/healthcheck - port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: rabbit-mq - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: fcaps-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: fcaps-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: fcaps-log + - mountPath: /opt/fcaps/fcaps/pub/config/log.yml + name: fcaps-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-fcaps/v1/healthcheck + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: rabbit-mq + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: fcaps-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: fcaps-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml index e73a942172..ce6f1479bd 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml @@ -1,62 +1,18 @@ {{/* # Copyright (c) 2019, CMCC Technologies Co., Ltd. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-fcaps", - "version": "v0", - "url": "/api/multicloud-fcaps/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-fcaps", - "version": "v1", - "url": "/api/multicloud-fcaps/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml index b9e90af1ef..f6adfba5ae 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml @@ -30,13 +30,10 @@ istioSidecar: true # application configuration config: - ssl_enabled: true msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -58,15 +55,42 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-fcaps - portName: http - externalPort: 9011 + type: NodePort internalPort: 9011 - nodePort: 87 + ports: + - name: http + port: 9011 + nodePort: '87' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-fcaps", + "version": "v0", + "url": "/api/multicloud-fcaps/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-fcaps", + "version": "v1", + "url": "/api/multicloud-fcaps/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-fcaps-api' + name: 'multicloud-fcaps' + port: 9011 # Resource Limit flavor -By Default using small flavor: small @@ -74,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # rabbit-mq image resource diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml index faf9ebfe0b..4099f826ce 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 description: ONAP Multicloud Kubernetes Plugin name: multicloud-k8s -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: mongo - version: ~12.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' - name: etcd - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json index 4a08322634..54b2b0e12b 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json @@ -44,8 +44,10 @@ "CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT", "HELM" ], - "consumerGroup": "{{ .Values.config.kafka.sdcTopic.consumerGroup }}", - "consumerId": "{{ .Values.config.kafka.sdcTopic.clientId }}", + {{- with (first .Values.kafkaUser.acls) }} + "consumerGroup": "{{ .name }}", + "consumerId": "{{ .name }}-k8s", + {{- end }} "environmentName": "AUTO", "keystorePath": "null", "keystorePassword": "null", diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index 45494e1730..9881a13615 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -16,24 +16,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -41,8 +29,7 @@ spec: name: {{ include "common.name" . }} command: ["/opt/multicloud/k8splugin/k8plugin"] workingDir: /opt/multicloud/k8splugin - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -56,14 +43,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/multicloud/k8splugin/k8sconfig.json name: {{ include "common.name" .}} subPath: k8sconfig.json - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -87,21 +70,16 @@ spec: - mountPath: /data name: artifact-data env: - - name: SECURITY_PROTOCOL - value: {{ .Values.config.kafka.securityProtocol }} - - name: SASL_MECHANISM - value: {{ .Values.config.kafka.saslMechanism }} - name: SASL_JAAS_CONFIG - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "multicloud-k8s-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name : {{ include "common.name" . }} configMap: name: {{ include "common.fullname" . }} - name: artifact-data emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml deleted file mode 100644 index 7600facb08..0000000000 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMechanism | lower }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} - operation: All - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.sdcTopic.pattern }} - operation: All diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml index b2b39db899..dc9695266a 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-k8s", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index cae151ae58..5c9c0ad864 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -19,19 +19,15 @@ global: nodePortPrefixExt: 304 persistence: {} artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 - multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: multicloud-k8s-sdc-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Application configuration defaults. @@ -40,16 +36,16 @@ secrets: image: onap/multicloud/k8s:0.10.1 pullPolicy: Always -config: - someConfig: blah - kafka: - securityProtocol: SASL_PLAINTEXT - saslMechanism: SCRAM-SHA-512 - authType: simple - sdcTopic: - pattern: SDC-DIST - consumerGroup: multicloud - clientId: multicloud-k8s +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: multicloud + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] # flag to enable debugging - application support required debugEnabled: false @@ -76,53 +72,78 @@ readiness: periodSeconds: 30 service: - type: ClusterIP - name: multicloud-k8s - portName: http + type: NodePort internalPort: 9015 - externalPort: 9015 - nodePort: 98 + ports: + - name: http + port: 9015 + nodePort: '98' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-k8s", + "version": "v1", + "url": "/", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-k8s-api' + name: 'multicloud-k8s' + port: 9015 #Mongo chart overrides for k8splugin -mongo: +mongodb: nameOverride: multicloud-k8s-mongo service: - name: multicloud-k8s-mongo - internalPort: 27017 - nfsprovisionerPrefix: multicloud-k8s - sdnctlPrefix: multicloud-k8s + nameOverride: multicloud-k8s-mongo + port: 27017 + auth: + enabled: false + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "500m" + memory: "2Gi" + +#etcd chart overrides for k8splugin +etcd: + nameOverride: multicloud-k8s-etcd + service: + name: multicloud-k8s-etcd + clientPortName: tcp-etcd-client + peerPortName: tcp-etcd-server persistence: - mountSubPath: multicloud-k8s/mongo/data + mountSubPath: multicloud-k8s/etcd/data enabled: true - disableNfsProvisioner: true - flavor: &storage_flavor large - resources: &storage_resources + flavor: large + resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 75Mi + cpu: "10m" + memory: "70Mi" large: limits: - cpu: 200m - memory: 1Gi + cpu: "200m" + memory: "1Gi" requests: - cpu: 50m - memory: 300Mi + cpu: "50m" + memory: "300Mi" unlimited: {} -#etcd chart overrides for k8splugin -etcd: - nameOverride: multicloud-k8s-etcd - service: - name: multicloud-k8s-etcd - persistence: - mountSubPath: multicloud-k8s/etcd/data - enabled: true - flavor: *storage_flavor - resources: *storage_resources # No persistence right now as we rely on Mongo to handle that persistence: @@ -133,9 +154,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: multicloud-k8s/data -ingress: - enabled: false - artifactbroker: internalPort: 9014 @@ -144,18 +162,18 @@ flavor: large resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 400m - memory: 1Gi + cpu: "400m" + memory: "1Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml b/kubernetes/multicloud/components/multicloud-pike/Chart.yaml index fd844694d1..74d6b8ce29 100644 --- a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack Pike Plugin name: multicloud-pike -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml index 3174dae242..1822695eab 100644 --- a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml @@ -16,90 +16,72 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: pike-log - - mountPath: /opt/pike/pike/pub/config/log.yml - name: pike-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh"] - args: ["-c", "/bin/sh /opt/pike/run.sh"] - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-pike/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: pike-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 5 }} - - name: pike-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: pike-log + - mountPath: /opt/pike/pike/pub/config/log.yml + name: pike-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh"] + args: ["-c", "/bin/sh /opt/pike/run.sh"] + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-pike/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: pike-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} + - name: pike-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml index 503fae375a..adbb87c70d 100644 --- a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml @@ -1,61 +1,18 @@ {{/* # Copyright (c) 2018 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-pike", - "version": "v0", - "url": "/api/multicloud-pike/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-pike", - "version": "v1", - "url": "/api/multicloud-pike/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' - -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-pike/values.yaml b/kubernetes/multicloud/components/multicloud-pike/values.yaml index 4ed7a64ecb..643daa7e3f 100644 --- a/kubernetes/multicloud/components/multicloud-pike/values.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/values.yaml @@ -25,18 +25,12 @@ global: image: onap/multicloud/openstack-pike:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: - ssl_enabled: false msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -58,15 +52,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-pike - portName: http - externalPort: 9007 + type: NodePort internalPort: 9007 - nodePort: 96 + ports: + - name: http + port: 9007 + nodePort: '96' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-pike", + "version": "v0", + "url": "/api/multicloud-pike/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-pike", + "version": "v1", + "url": "/api/multicloud-pike/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-pike-api' + name: 'multicloud-pike' + port: 9007 # Resource Limit flavor -By Default using small flavor: small @@ -74,18 +94,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml index 0075548d2a..2ed930aa65 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml @@ -17,21 +17,21 @@ apiVersion: v2 description: ONAP Multicloud Prometheus name: multicloud-prometheus -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: prometheus-alertmanager - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/prometheus-alertmanager' - name: prometheus-grafana - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/prometheus-grafana' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml index 91fdb7dbb6..b4643db800 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: ONAP Multicloud Prometheus Alert Manager name: prometheus-alertmanager -version: 12.0.0 +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml index ca56b670cd..185aa1e47b 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml @@ -93,8 +93,6 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always - {{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml index ccd70b30cf..5b48f73a45 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml @@ -72,16 +72,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml index 1a5912f330..cc89de3d26 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: ONAP Multicloud Grafana for Prometheus name: prometheus-grafana -version: 12.0.0 +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml index 2dea842733..e578feb96d 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml @@ -132,8 +132,6 @@ spec: name: {{ include "common.fullname" $ }}-dashboards-{{ . }} {{- end }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always - {{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml index 43f4e93a6f..0d066bbdc7 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml @@ -99,16 +99,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml index 74941292fd..a75ac28b2d 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml @@ -16,25 +16,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - image: {{ include "repositoryGenerator.image.busybox" . }} @@ -70,8 +57,7 @@ spec: {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if .Values.liveness.enabled }} @@ -117,6 +103,5 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml index b8dbb687fb..ec4e1a7011 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,29 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/values.yaml index 78373c88f2..20ab052169 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/values.yaml @@ -52,10 +52,10 @@ persistence: #Service configuration for this chart service: type: ClusterIP - name: multicloud-prometheus - portName: http internalPort: 9090 - externalPort: 9090 + ports: + - name: http + port: 9090 # probe configuration parameters liveness: @@ -87,18 +87,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml b/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml index d4eac135bb..dd0d9e5564 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack Starlingx Plugin name: multicloud-starlingx -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml index 7f178063b5..96942ddae5 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml @@ -16,40 +16,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: containers: - env: - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" + value: "http" - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" + value: "{{ .Values.config.msbPort }}" - name: AAI_ADDR value: "aai.{{ include "common.namespace" . }}" - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" + value: "{{ .Values.config.aai.aaiPort }}" - name: AAI_SCHEMA_VERSION value: "{{ .Values.config.aai.schemaVersion }}" - name: AAI_USERNAME @@ -57,7 +42,7 @@ spec: - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" + value: "false" name: {{ include "common.name" . }} volumeMounts: - mountPath: "{{ .Values.log.path }}" @@ -67,11 +52,10 @@ spec: subPath: log.yml - mountPath: /opt/artifacts/ name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -79,7 +63,7 @@ spec: httpGet: path: /api/multicloud-starlingx/v0/swagger.json port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -87,7 +71,7 @@ spec: failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end }} # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} + {{ include "common.log.sidecar" . | nindent 6 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: memcached @@ -108,12 +92,11 @@ spec: volumes: - name: starlingx-log emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} - name: starlingx-logconfig configMap: name: {{ include "common.fullname" . }}-log-configmap - name: artifact-data emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml index 5c30c26296..6eb90e5630 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml @@ -1,62 +1,18 @@ {{/* # Copyright (c) 2019 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-starlingx", - "version": "v0", - "url": "/api/multicloud-starlingx/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-starlingx", - "version": "v1", - "url": "/api/multicloud-starlingx/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml index 1fe7775aed..2f06b4b3d4 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml @@ -27,18 +27,12 @@ repository: nexus3.onap.org:10001 image: onap/multicloud/openstack-starlingx:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: false - # application configuration config: - ssl_enabled: true msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -60,15 +54,42 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-starlingx - portName: multicloud-starlingx - externalPort: 9009 + type: NodePort internalPort: 9009 - nodePort: 85 + ports: + - name: http + port: 9009 + nodePort: '85' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-starlingx", + "version": "v0", + "url": "/api/multicloud-starlingx/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-starlingx", + "version": "v1", + "url": "/api/multicloud-starlingx/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-starlingx-api' + name: 'multicloud-starlingx' + port: 9009 # Resource Limit flavor -By Default using small flavor: small @@ -76,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml b/kubernetes/multicloud/components/multicloud-vio/Chart.yaml index ed67b5e5d7..2efafe9267 100644 --- a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP multicloud VIO plugin name: multicloud-vio -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml index c5c368c8b5..9e26cc3d14 100644 --- a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml @@ -17,83 +17,65 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: vio-log - - mountPath: /opt/vio/vio/pub/config/log.yml - name: vio-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud-vio/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: vio-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: vio-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: vio-log + - mountPath: /opt/vio/vio/pub/config/log.yml + name: vio-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /api/multicloud-vio/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end -}} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: vio-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: vio-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml index 4a926df420..0cff91a68c 100644 --- a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml @@ -1,61 +1,19 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-vio", - "version": "v0", - "url": "/api/multicloud-vio/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-vio", - "version": "v1", - "url": "/api/multicloud-vio/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-vio/values.yaml b/kubernetes/multicloud/components/multicloud-vio/values.yaml index 3b852df885..1337362a34 100644 --- a/kubernetes/multicloud/components/multicloud-vio/values.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/values.yaml @@ -26,17 +26,12 @@ global: image: onap/multicloud/vio:1.4.2 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -58,15 +53,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-vio - portName: http - externalPort: 9004 + type: NodePort internalPort: 9004 - nodePort: 92 + ports: + - name: http + port: 9004 + nodePort: '92' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-vio", + "version": "v0", + "url": "/api/multicloud-vio/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-vio", + "version": "v1", + "url": "/api/multicloud-vio/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-vio-api' + name: 'multicloud-vio' + port: 9004 # Resource Limit flavor -By Default using small flavor: small @@ -74,18 +95,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml b/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml index 3cf069b67b..110cba02c2 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack WindRiver Plugin name: multicloud-windriver -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml index 8eadcf689d..434c0d156e 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml @@ -17,27 +17,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: ["sh", "-c", "chown -R 100:101 /data"] @@ -50,15 +35,15 @@ spec: containers: - env: - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" + value: "http" - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" + value: "{{ .Values.config.msbPort }}" - name: AAI_ADDR value: "aai.{{ include "common.namespace" . }}" - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" + value: "{{ .Values.config.aai.aaiPort }}" - name: AAI_SCHEMA_VERSION value: "{{ .Values.config.aai.schemaVersion }}" - name: AAI_USERNAME @@ -66,7 +51,7 @@ spec: - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" + value: "false" name: {{ include "common.name" . }} volumeMounts: - mountPath: "{{ .Values.log.path }}" @@ -76,11 +61,10 @@ spec: subPath: log.yml - mountPath: /opt/artifacts/ name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -88,7 +72,7 @@ spec: httpGet: path: /api/multicloud-titaniumcloud/v1/swagger.json port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -96,7 +80,7 @@ spec: failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end }} # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} + {{ include "common.log.sidecar" . | nindent 6 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: memcached @@ -117,7 +101,7 @@ spec: volumes: - name: windriver-log emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} - name: windriver-logconfig configMap: name: {{ include "common.fullname" . }}-log-configmap @@ -128,6 +112,5 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml index f71306740f..578036bb8d 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml @@ -1,73 +1,19 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-titanium_cloud", - "version": "v0", - "url": "/api/multicloud-titanium_cloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v0", - "url": "/api/multicloud-titaniumcloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v1", - "url": "/api/multicloud-titaniumcloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' - -spec: - ports: - {{ if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{ else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{ end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/values.yaml b/kubernetes/multicloud/components/multicloud-windriver/values.yaml index a328daedc6..0af9df856b 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/values.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/values.yaml @@ -28,29 +28,62 @@ global: image: onap/multicloud/openstack-windriver:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: ssl_enabled: true msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI service: - type: ClusterIP - name: multicloud-titaniumcloud - portName: multicloud-titaniumcloud - externalPort: 9005 + type: NodePort internalPort: 9005 - nodePort: 94 + ports: + - name: http + port: 9005 + nodePort: '94' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-titanium_cloud", + "version": "v0", + "url": "/api/multicloud-titanium_cloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v0", + "url": "/api/multicloud-titaniumcloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v1", + "url": "/api/multicloud-titaniumcloud/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-titaniumcloud-api' + name: 'multicloud-titaniumcloud' + port: 9005 # default number of instances replicaCount: 1 @@ -68,9 +101,6 @@ liveness: failureThreshold: 5 enabled: true -ingress: - enabled: false - persistence: enabled: true mountPath: /dockerdata-nfs @@ -85,18 +115,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index 5e1090798e..80a09c73b8 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -17,92 +17,76 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: AAI_PROTOCOL - value: "{{- if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: framework-log - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml - name: framework-logconfig - subPath: log.yml - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json - name: provider-plugin - subPath: provider-plugin.json - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: "{{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}" - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPlainPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: AAI_PROTOCOL + value: "http" + - name: SSL_ENABLED + value: "false" + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: framework-log + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml + name: framework-logconfig + subPath: log.yml + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json + name: provider-plugin + subPath: provider-plugin.json + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /api/multicloud/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: "HTTP" + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end -}} # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: framework-log - emptyDir: {} - - name: provider-plugin - configMap: - name: {{ include "common.fullname" . }}-provider-plugin-configmap - {{ include "common.log.volumes" . | nindent 5 }} - - name: framework-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: framework-log + emptyDir: {} + - name: provider-plugin + configMap: + name: {{ include "common.fullname" . }}-provider-plugin-configmap + {{ include "common.log.volumes" . | nindent 6 }} + - name: framework-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/templates/ingress.yaml b/kubernetes/multicloud/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/templates/service.yaml b/kubernetes/multicloud/templates/service.yaml index 1c483b0d2d..578036bb8d 100644 --- a/kubernetes/multicloud/templates/service.yaml +++ b/kubernetes/multicloud/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,53 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud", - "version": "v0", - "url": "/api/multicloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - {{if (include "common.needTLS" .) -}} - "enable_ssl": {{ .Values.config.ssl_enabled }}, - {{- else -}} - "enable_ssl": false, - {{- end}} - "visualRange": "1" - }, - { - "serviceName": "multicloud", - "version": "v1", - "url": "/api/multicloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 21e6a61cf5..033826f0e6 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -23,7 +23,6 @@ global: enabled: false persistence: {} centralizedLoggingEnabled: true - multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user ################################################################# # Application configuration defaults. @@ -40,8 +39,6 @@ multicloud-fcaps: logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' multicloud-k8s: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }}' multicloud-pike: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' @@ -59,15 +56,12 @@ multicloud-windriver: # application configuration config: - ssl_enabled: true msbgateway: msb-iag logstashServiceName: log-ls logstashPort: 5044 - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 80 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -89,15 +83,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud - portName: http - externalPort: 9001 + type: NodePort internalPort: 9001 - nodePort: 91 + ports: + - name: http + port: 9001 + nodePort: '91' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud", + "version": "v0", + "url": "/api/multicloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud", + "version": "v1", + "url": "/api/multicloud/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-api' + name: 'multicloud' + port: 9001 # Resource Limit flavor -By Default using small flavor: small @@ -105,18 +125,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml index ee1e330072..25f307c253 100644 --- a/kubernetes/nbi/Chart.yaml +++ b/kubernetes/nbi/Chart.yaml @@ -17,32 +17,29 @@ apiVersion: v2 description: ONAP Northbound Interface name: nbi -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.mariadbGalera.localCluster + condition: global.mariadbGalera.globalCluster - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 6a246a623c..863926a8ce 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -25,9 +25,6 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: -{{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -35,36 +32,20 @@ spec: ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \ - -Dserver.ssl.key-store-type=PKCS12 \ - -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \ - -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ - -Djavax.net.ssl.trustStoreType=jks\ - -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" - exec java -XX:+UseContainerSupport $JAVA_OPTS -jar /opt/onap/app.jar - {{- end }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} + port: {{ .Values.service.internalPort }} path: {{ .Values.liveness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} + port: {{ .Values.service.internalPort }} path: {{ .Values.readiness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -75,11 +56,11 @@ spec: - name: SPRING_DATASOURCE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "password") | indent 14 }} - name: SPRING_DATA_MONGODB_HOST - value: {{ .Values.mongo.service.name }}.{{ include "common.namespace" . }} + value: {{ .Values.mongodb.service.nameOverride }}.{{ include "common.namespace" . }} - name: SPRING_DATA_MONGODB_PORT - value: "{{ .Values.mongo.service.internalPort }}" + value: "{{ .Values.mongodb.service.port }}" - name: SPRING_DATA_MONGODB_DATABASE - value: {{ .Values.mongo.config.dbName }} + value: {{ .Values.mongodb.config.dbName }} - name: ONAP_LCPCLOUDREGIONID value: {{ .Values.config.openStackRegion }} - name: ONAP_TENANTID @@ -91,15 +72,15 @@ spec: - name: ONAP_K8SCLOUDOWNER value: {{ .Values.config.k8sCloudOwner }} - name: NBI_URL - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://nbi.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}/nbi/api/v4" + value: "http://nbi.{{ include "common.namespace" . }}:{{ .Values.service.internalPort }}/nbi/api/v4" - name: SDC_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://sdc-be.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}8080{{ end }}" + value: "http://sdc-be.{{ include "common.namespace" . }}:8080" - name: SDC_HEADER_ECOMPINSTANCEID value: {{ .Values.config.ecompInstanceId }} - name: SDC_HEADER_AUTHORIZATION value: {{ .Values.sdc_authorization }} - name: AAI_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://aai.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}80{{ end }}" + value: "http://aai.{{ include "common.namespace" . }}:80" - name: AAI_HEADER_AUTHORIZATION value: {{ .Values.aai_authorization }} - name: SO_HOST @@ -109,7 +90,7 @@ spec: value: {{ .Values.so_authorization }} {{- end }} - name: DMAAP_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://message-router.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}3905{{ else }}3904{{ end }}" + value: "http://message-router.{{ include "common.namespace" . }}:3904" - name: LOGGING_LEVEL_ORG_ONAP_NBI value: {{ .Values.config.loglevel }} - name: MSB_ENABLED @@ -118,12 +99,7 @@ spec: value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -133,9 +109,4 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/nbi/tests/deployment_test.yaml b/kubernetes/nbi/tests/deployment_test.yaml index 7c8a1b0dbb..fe9d0d2977 100644 --- a/kubernetes/nbi/tests/deployment_test.yaml +++ b/kubernetes/nbi/tests/deployment_test.yaml @@ -98,7 +98,7 @@ tests: path: spec.template.spec.containers[0].env content: name: SDC_HOST - value: https://sdc-be.NAMESPACE:8443 + value: http://sdc-be.NAMESPACE:8080 - contains: path: spec.template.spec.containers[0].env content: @@ -113,7 +113,7 @@ tests: path: spec.template.spec.containers[0].env content: name: AAI_HOST - value: https://aai.NAMESPACE:8443 + value: http://aai.NAMESPACE:80 - contains: path: spec.template.spec.containers[0].env content: diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index dc323675ad..0d143dc6c6 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -19,36 +19,26 @@ global: nodePortPrefix: 302 mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - aafEnabled: true - msbEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: nbi-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: nbi - fqi: nbi@nbi.onap.org - public_fqdn: nbi.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 + msbEnabled: false + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Secrets metaconfig @@ -84,12 +74,13 @@ config: openStackRegion: RegionOne openStackVNFTenantId: 31047205ce114b60833b23e400d6a535 db: - userName: rene + userName: &dbuser rene # userPassword: password # userCredentialsExternalSecret: some-secret mariadb-galera: db: + user: *dbuser externalSecret: *dbUserSecretName name: &mysqlDbName nbi service: @@ -98,6 +89,9 @@ mariadb-galera: internalPort: 3306 nameOverride: &nbi-galera nbi-galera replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: nbi/maria/data @@ -109,21 +103,29 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nbi-config + serviceAccount: + nameOverride: nbi-config -mongo: +mongodb: nameOverride: nbi-mongo config: - dbName: ServiceOrderDB + dbName: &mongoDBName ServiceOrderDB + auth: + enabled: false + databases: + - *mongoDBName + usernames: + - "nbi" service: - name: nbi-mongohost + nameOverride: nbi-mongohost internalPort: 27017 - nfsprovisionerPrefix: nbi - sdnctlPrefix: nbi - persistence: - mountSubPath: nbi/mongo/data - enabled: true - disableNfsProvisioner: true - + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" # default number of instances replicaCount: 1 @@ -150,12 +152,10 @@ service: type: NodePort portName: api name: nbi - internalPort: 8443 - internalPlainPort: 8080 + internalPort: 8080 ports: - name: http - port: 8443 - plain_port: 8080 + port: 8080 nodePort: '74' ingress: @@ -163,8 +163,7 @@ ingress: service: - baseaddr: "nbi-api" name: "nbi" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" # Resource Limit flavor -By Default using small @@ -173,18 +172,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index 951543473a..45d8da170b 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -15,8 +15,8 @@ apiVersion: v2 name: onap -version: 12.0.0 -appVersion: Kohn +version: 14.0.0 +appVersion: NewDelhi description: Open Network Automation Platform (ONAP) home: https://www.onap.org/ sources: @@ -25,157 +25,121 @@ icon: https://wiki.onap.org/download/thumbnails/1015829/onap_704x271%20copy.png? kubeVersion: ">=1.19.11-0" dependencies: - - name: aaf - version: ~12.x-0 - repository: '@local' - condition: aaf.enabled - name: aai - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: aai.enabled - - name: appc - version: ~12.x-0 - repository: '@local' - condition: appc.enabled - name: cassandra - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cassandra.enabled - name: cds - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cds.enabled - name: cli - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cli.enabled - name: common - version: ~12.x-0 - repository: '@local' - - name: consul - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: consul.enabled - - name: contrib - version: ~12.x-0 - repository: '@local' - condition: global.addTestingComponents - name: cps - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps.enabled - name: dcaegen2-services - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcaegen2-services.enabled - - name: dcaemod - version: ~12.x-0 - repository: '@local' - condition: dcaemod.enabled - name: holmes - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: holmes.enabled - name: dmaap - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dmaap.enabled - - name: log - version: ~12.x-0 - repository: '@local' - condition: log.enabled - - name: sniro-emulator - version: ~12.x-0 - repository: '@local' - condition: sniro-emulator.enabled - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: mariadb-galera.enabled - name: msb - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: msb.enabled - name: multicloud - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: multicloud.enabled - name: nbi - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: nbi.enabled - name: policy - version: ~12.x-0 + version: ~14.x-0 repository: '@local' condition: policy.enabled - - name: portal - version: ~12.x-0 + - name: portal-ng + version: ~13.x-0 repository: '@local' - condition: portal.enabled + condition: portal-ng.enabled - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.enabled - name: oof - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: oof.enabled - name: repository-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: robot - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: robot.enabled - name: sdc - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: sdc.enabled - name: sdnc - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: sdnc.enabled - name: so - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: so.enabled - name: strimzi - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: strimzi.enabled - name: uui - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: uui.enabled - name: vfc - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: vfc.enabled - - name: vid - version: ~12.x-0 - repository: '@local' - condition: vid.enabled - name: vnfsdk - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: vnfsdk.enabled - name: modeling - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: modeling.enabled - name: platform - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: platform.enabled - name: a1policymanagement - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: a1policymanagement.enabled - - name: cert-wrapper - version: ~12.x-0 - repository: '@local' - condition: cert-wrapper.enabled - name: roles-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: roles-wrapper.enabled diff --git a/kubernetes/onap/resources/environments/core-onap.yaml b/kubernetes/onap/resources/environments/core-onap.yaml index 8a4bb706d9..ebfe688619 100644 --- a/kubernetes/onap/resources/environments/core-onap.yaml +++ b/kubernetes/onap/resources/environments/core-onap.yaml @@ -52,21 +52,11 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -77,14 +67,10 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -97,9 +83,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -112,19 +96,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -146,8 +128,6 @@ strimzi: enabled: false uui: enabled: false -vid: - enabled: false vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/dev.yaml b/kubernetes/onap/resources/environments/dev.yaml index 2caad2d530..fcf5de366c 100644 --- a/kubernetes/onap/resources/environments/dev.yaml +++ b/kubernetes/onap/resources/environments/dev.yaml @@ -32,7 +32,7 @@ global: #repository: nexus3.onap.org:10001 # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -52,14 +52,10 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false aai-cassandra: replicaCount: 1 -appc: - enabled: false cassandra: enabled: false replicaCount: 1 @@ -67,10 +63,6 @@ clamp: enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -79,12 +71,6 @@ holmes: enabled: false dmaap: enabled: false -log: - enabled: false - log-logstash: - replicaCount: 1 -sniro-emulator: - enabled: false oof: enabled: false mariadb-galera: @@ -97,9 +83,7 @@ nbi: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: true @@ -143,7 +127,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/disable-allcharts.yaml b/kubernetes/onap/resources/environments/disable-allcharts.yaml index 43aa4c8c05..2d42af05ac 100644 --- a/kubernetes/onap/resources/environments/disable-allcharts.yaml +++ b/kubernetes/onap/resources/environments/disable-allcharts.yaml @@ -25,22 +25,12 @@ # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false -appc: - enabled: false cassandra: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -49,10 +39,6 @@ holmes: enabled: false dmaap: enabled: false -log: - enabled: false -sniro-emulator: - enabled: false mariadb-galera: enabled: false msb: @@ -65,9 +51,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -83,7 +67,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/minimal-onap.yaml b/kubernetes/onap/resources/environments/minimal-onap.yaml index 7bfa258e5a..5a628c8c7d 100644 --- a/kubernetes/onap/resources/environments/minimal-onap.yaml +++ b/kubernetes/onap/resources/environments/minimal-onap.yaml @@ -16,17 +16,15 @@ # This override file is used to deploy a minimal configuration to # onboard and deploy a VNF. # It includes the following components: -# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka, VID +# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka # # Minimal resources are also reviewed for the various containers # A&AI: no override => to be fixed # DMAAP: no override -# Portal: new values # Robot: new values # SO: no override # SDC: new values # SDNC: no override -# VID: no override # # Replica are set to 1 (A&AI Cassandra) # @@ -47,21 +45,11 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 1 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -72,14 +60,10 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -92,49 +76,8 @@ oof: enabled: false policy: enabled: false -pomba: +portal-ng: enabled: false -portal: - enabled: true - portal-cassandra: - config: - cassandraJvmOpts: "-Xmx512m -Xms256m" - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - portal-app: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - resources: - portal-mariaddb: - resources: - small: - limits: - cpu: 800m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - portal-widget: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 500Mi robot: enabled: true config: @@ -142,11 +85,11 @@ robot: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" sdc: enabled: true sdc-be: @@ -156,19 +99,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -190,8 +131,6 @@ strimzi: enabled: false uui: enabled: false -vid: - enabled: true vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/public-cloud.yaml b/kubernetes/onap/resources/environments/public-cloud.yaml index 90714a46d5..74ce637d52 100644 --- a/kubernetes/onap/resources/environments/public-cloud.yaml +++ b/kubernetes/onap/resources/environments/public-cloud.yaml @@ -24,27 +24,6 @@ # deploy ONAP. This increase in timeouts prevents restarting of # the pods thereby the components will be deployed without error. ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: aai-champ: liveness: @@ -56,11 +35,6 @@ cassandra: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 holmes: holmes-rule-mgmt: liveness: @@ -93,13 +67,6 @@ dmaap: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 - -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 sdc: sdc-fe: liveness: diff --git a/kubernetes/onap/resources/overrides/environment.yaml b/kubernetes/onap/resources/overrides/environment.yaml index cb43e2e094..468aab8c18 100644 --- a/kubernetes/onap/resources/overrides/environment.yaml +++ b/kubernetes/onap/resources/overrides/environment.yaml @@ -32,27 +32,6 @@ # large value may not fix all installation issues on over subscribed hardware. # ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: liveness: initialDelaySeconds: 120 @@ -75,11 +54,6 @@ aai: periodSeconds: 120 readiness: periodSeconds: 60 -appc: - mariadb-galera: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 cassandra: liveness: timeoutSeconds: 30 @@ -87,16 +61,6 @@ cassandra: readiness: timeoutSeconds: 30 periodSeconds: 60 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - clamp-mariadb: - liveness: - initialDelaySeconds: 30 - readiness: - initialDelaySeconds: 30 holmes: holmes-rule-mgmt: liveness: @@ -150,17 +114,6 @@ oof: periodSeconds: 120 readiness: periodSeconds: 60 -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - portal-cassandra: - liveness: - periodSeconds: 120 - readiness: - periodSeconds: 60 sdc: sdc-fe: liveness: diff --git a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml index 506dd4f7fe..4c1a418777 100644 --- a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml +++ b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml @@ -35,7 +35,7 @@ global: password: docker # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -68,32 +68,14 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: true aai: enabled: true -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: true cds: enabled: true -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -104,16 +86,10 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: true -sniro-emulator: - enabled: false oof: enabled: true mariadb-galera: @@ -130,14 +106,12 @@ nbi: openStackVNFTenantId: "1234" policy: enabled: true -pomba: - enabled: false -portal: +portal-ng: enabled: true robot: enabled: true config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: true @@ -177,8 +151,6 @@ uui: enabled: true vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false modeling: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml new file mode 100644 index 0000000000..ba7b50e53c --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml @@ -0,0 +1,168 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "common-gateway" + httpListener: "http-80" + httpsListener: "https-443" + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +aai: + enabled: true +cds: + enabled: true +cli: + enabled: true +cps: + enabled: true +dcaegen2: + enabled: true +dcaegen2-services: + enabled: true + dcae-datafile-collector: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-heartbeat: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-kpi-ms: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-pm-mapper: + enabled: true + dcae-pmsh: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: true + dcae-slice-analysis-ms: + enabled: true + dcae-snmptrap-collector: + enabled: true + dcae-son-handler: + enabled: true + dcae-tcagen2: + enabled: true + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-mapper: + enabled: true + dcae-ves-openapi-manager: + enabled: true +holmes: + enabled: true +dmaap: + enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true +policy: + enabled: true +portal-ng: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true +so: + enabled: true +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: true +uui: + enabled: true +vfc: + enabled: true +vnfsdk: + enabled: true +modeling: + enabled: true +a1policymanagement: + enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml index c78ac8abd2..cc830424e2 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -22,6 +22,30 @@ global: # enable all component's Ingress interfaces enable_all: true # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" config: ssl: "redirect" # you can set an own Secret containing a certificate @@ -29,8 +53,6 @@ global: # secret: 'my-ingress-cert' # optional: Namespace of the Istio IngressGateway namespace: istio-ingress - # don't need ejbca server - addTestingComponents: &testing false centralizedLoggingEnabled: ¢ralizedLogging false # Disabling CMPv2 cmpv2Enabled: false @@ -41,27 +63,12 @@ mariadb-galera: enabled: true postgres: enabled: true -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true cli: enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true dcaegen2: @@ -108,16 +115,12 @@ dcaegen2-services: enabled: true dcae-ves-openapi-manager: enabled: true -dcaemod: - enabled: true holmes: enabled: true dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: true dmaap-dr-prov: enabled: true dmaap-dr-node: @@ -130,10 +133,18 @@ multicloud: enabled: true nbi: enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: @@ -150,13 +161,9 @@ uui: enabled: true vfc: enabled: true -vid: - enabled: false vnfsdk: enabled: true modeling: enabled: true -platform: - enabled: true a1policymanagement: enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index 9a090c1a41..e5fd78e9ef 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -20,8 +20,19 @@ global: ingress: enabled: true enable_all: true - addTestingComponents: &testing true - centralizedLoggingEnabled: ¢ralizedLogging false + # Provider: ingress, istio, gw-api + provider: ingress + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: nginx + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + cassandra: enabled: true mariadb-galera: @@ -29,43 +40,22 @@ mariadb-galera: postgres: enabled: true -aaf: - enabled: true - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true cli: enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true dcaegen2-services: enabled: true -dcaemod: - enabled: true holmes: enabled: true dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: true dmaap-dr-prov: enabled: true dmaap-dr-node: @@ -80,8 +70,8 @@ nbi: enabled: true policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: @@ -98,10 +88,6 @@ uui: enabled: true vfc: enabled: true -vid: - enabled: true - ingress: - enabled: true vnfsdk: enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index aeac83f7ef..027f8b3225 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -19,38 +19,18 @@ ################################################################### # This override file enables helm charts for all ONAP applications. ################################################################### -global: - addTestingComponents: &testing true - centralizedLoggingEnabled: ¢ralizedLogging false cassandra: enabled: true mariadb-galera: enabled: true postgres: enabled: true -aaf: - enabled: true - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true cli: enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true dcaegen2-services: @@ -93,16 +73,12 @@ dcaegen2-services: enabled: true dcae-ves-openapi-manager: enabled: true -dcaemod: - enabled: true holmes: enabled: true dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: true dmaap-dr-prov: enabled: true dmaap-dr-node: @@ -117,8 +93,8 @@ nbi: enabled: true policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: @@ -135,8 +111,6 @@ uui: enabled: true vfc: enabled: true -vid: - enabled: false vnfsdk: enabled: true modeling: diff --git a/kubernetes/onap/resources/overrides/onap-vfw.yaml b/kubernetes/onap/resources/overrides/onap-vfw.yaml index fc0c94de24..14748ddb2e 100644 --- a/kubernetes/onap/resources/overrides/onap-vfw.yaml +++ b/kubernetes/onap/resources/overrides/onap-vfw.yaml @@ -21,16 +21,8 @@ cassandra: mariadb-galera: enabled: true -aaf: - enabled: true aai: enabled: true -appc: - enabled: true -clamp: - enabled: true -consul: - enabled: true dcaegen2-services: enabled: true holmes: @@ -39,21 +31,17 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: true oof: enabled: true msb: enabled: true policy: enabled: true -portal: +portal-ng: enabled: true robot: enabled: true @@ -67,5 +55,3 @@ strimzi: enabled: true strimzi-kafka-bridge: enabled: false -vid: - enabled: true diff --git a/kubernetes/onap/resources/overrides/openstack.yaml b/kubernetes/onap/resources/overrides/openstack.yaml index 5e09d7cfe9..9c0fc539c3 100644 --- a/kubernetes/onap/resources/overrides/openstack.yaml +++ b/kubernetes/onap/resources/overrides/openstack.yaml @@ -15,19 +15,7 @@ ################################################################# # This override file configures openstack parameters for ONAP ################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" openStackKeyStoneUrl: "http://10.12.25.2:5000" openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" @@ -46,7 +34,7 @@ robot: scriptVersion: "1.4.0-SNAPSHOT" rancherIpAddress: "10.12.5.127" config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" so: # so server configuration diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml index 1d3b2eb5c9..dc5da35113 100644 --- a/kubernetes/onap/resources/overrides/sm-onap.yaml +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -60,25 +60,11 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -87,16 +73,12 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: true dmaap-dr-prov: enabled: true dmaap-dr-node: enabled: true holmes: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -109,9 +91,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -124,19 +104,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -152,8 +130,6 @@ strimzi: enabled: true uui: enabled: false -vid: - enabled: false vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index bdbf5ab323..5f48a5e2ed 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications # Modifications Copyright © 2020-2021 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,19 +27,6 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - - # Install test components - # test components are out of the scope of ONAP but allow to have a entire - # environment to test the different features of ONAP - # Current tests environments provided: - # - netbox (needed for CDS IPAM) - # - AWX (needed for XXX) - # - EJBCA Server (needed for CMPv2 tests) - # Today, "contrib" chart that hosting these components must also be enabled - # in order to make it work. So `contrib.enabled` must have the same value than - # addTestingComponents - addTestingComponents: &testing false - # ONAP Repository # Four different repositories are used # You can change individually these repositories to ones that will serve the @@ -46,15 +34,10 @@ global: repository: nexus3.onap.org:10001 dockerHubRepository: &dockerHubRepository docker.io elasticRepository: &elasticRepository docker.elastic.co + quayRepository: quay.io googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io - #/!\ DEPRECATED /!\ - # Legacy repositories which will be removed at the end of migration. - # Please don't use - loggingRepository: *elasticRepository - busyboxRepository: *dockerHubRepository - # Default credentials # they're optional. If the target repository doesn't need them, comment them repositoryCred: @@ -75,6 +58,20 @@ global: # user: myuser # password: mypassord + # Default definition of the secret containing the docker image repository + # credentials. In the default ONAP deployment the secret is created by the + # repository-wrapper component, which uses the secrets defined above. + # If this is not wanted or other secrets are created, alternative secret + # names can be used + # Overrides for specific images can be done, if the "image" entry is used as + # a map and the "pullSecrets" is used, e.g. + # image: + # ... + # pullSecrets: + # - myRegistryKeySecretName + # + imagePullSecrets: + - '{{ include "common.namespace" . }}-docker-registry-key' # common global images # Busybox for simple shell manipulation @@ -106,7 +103,7 @@ global: postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 # readiness check image - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # image pull policy pullPolicy: Always @@ -127,6 +124,10 @@ global: storageclassProvisioner: kubernetes.io/no-provisioner volumeReclaimPolicy: Retain + # Global flag to enable the creation of default roles instead of using + # common roles-wrapper + createDefaultRoles: false + # override default resource limit flavor for all charts flavor: unlimited @@ -150,11 +151,36 @@ global: enabled: false # enable all component's Ingress interfaces enable_all: false - # default Ingress base URL - # can be overwritten in component vy setting ingress.baseurlOverride + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + # default Ingress base URL and preAddr- and postAddr settings + # Ingress URLs result: + # . virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride baseurl: "simpledemo.onap.org" - # All http requests via ingress will be redirected on Ingress controller + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + + # All http (port 80) requests via ingress will be redirected + # to port 443 on Ingress controller # only valid for Istio Gateway (ServiceMesh enabled) config: ssl: "redirect" @@ -163,18 +189,21 @@ global: # tls: # secret: 'my-ingress-cert' - # optional: Namespace of the Istio IngressGateway + # optional: Namespace of the Istio IngressGateway or Gateway-API # only valid for Istio Gateway (ServiceMesh enabled) namespace: istio-ingress # Global Service Mesh configuration - # POC Mode, don't use it in production serviceMesh: enabled: false tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false + # metrics part # If enabled, exporters (for prometheus) will be deployed # if custom resources set to yes, CRD from prometheus operartor will be @@ -188,8 +217,7 @@ global: # Disabling AAF # POC Mode, only for use in development environment # Keep it enabled in production - aafEnabled: true - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + aafEnabled: false # Disabling MSB # POC Mode, only for use in development environment @@ -212,7 +240,7 @@ global: name: cmpv2-issuer-onap # Enabling CMPv2 - cmpv2Enabled: true + cmpv2Enabled: false platform: certificates: clientSecretName: oom-cert-service-client-tls-secret @@ -232,7 +260,7 @@ global: # Set to false if you want to disable TLS for NodePorts. Be aware that this # will loosen your security. # if set this element will force or not tls even if serviceMesh.tls is set. - # tlsEnabled: false + tlsEnabled: false # Logging # Currently, centralized logging is not in best shape so it's disabled by @@ -255,14 +283,6 @@ global: # storageClass: "-" # Example of specific for the components which requires RWX: -# aaf: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" -# contrib: -# netbox: -# netbox-app: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" # cds: # cds-blueprints-processor: # persistence: @@ -277,64 +297,28 @@ global: # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false aai: enabled: false -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: false cds: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing cps: enabled: false dcaegen2-services: enabled: false -dcaemod: - enabled: false holmes: enabled: false dmaap: enabled: false message-router: enabled: false - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -# Today, "logging" chart that perform the central part of logging must also be -# enabled in order to make it work. So `logging.enabled` must have the same -# value as centralizedLoggingEnabled -log: - enabled: *centralizedLogging -sniro-emulator: - enabled: false oof: enabled: false mariadb-galera: @@ -351,14 +335,12 @@ nbi: openStackVNFTenantId: "1234" policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: false @@ -415,8 +397,6 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false modeling: @@ -425,8 +405,6 @@ platform: enabled: false a1policymanagement: enabled: false -cert-wrapper: - enabled: true repository-wrapper: enabled: true roles-wrapper: diff --git a/kubernetes/oof/Chart.yaml b/kubernetes/oof/Chart.yaml index 3d5441dd4c..6be063fc4c 100755 --- a/kubernetes/oof/Chart.yaml +++ b/kubernetes/oof/Chart.yaml @@ -18,25 +18,25 @@ apiVersion: v2 description: ONAP Optimization Framework name: oof -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-has - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has' condition: oof-has.enabled - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/Chart.yaml b/kubernetes/oof/components/oof-has/Chart.yaml index 0b3a324c9a..79f19c176c 100755 --- a/kubernetes/oof/components/oof-has/Chart.yaml +++ b/kubernetes/oof/components/oof-has/Chart.yaml @@ -18,45 +18,41 @@ apiVersion: v2 description: ONAP Homing and Allocation Service name: oof-has -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: music - version: ~12.x-0 - repository: '@local' - condition: music.enabled - name: etcd - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: etcd.enabled - name: etcd-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: etcd-init.enabled - name: oof-has-api - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-api' condition: oof-has-api.enabled - name: oof-has-controller - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-controller' condition: oof-has-controller.enabled - name: oof-has-data - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-data' condition: oof-has-data.enabled - name: oof-has-reservation - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-reservation' condition: oof-has-reservation.enabled - name: oof-has-solver - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-solver' condition: oof-has-solver.enabled - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml index 39d3f0c89f..c6c07bd8ef 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml @@ -18,21 +18,22 @@ apiVersion: v2 description: ONAP Homing and Allocation Servicei - API name: oof-has-api -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' + diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml index 4e38c830f0..703d8bb7c4 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml @@ -18,67 +18,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - oof-has-controller - {{- if (include "common.needTLS" .) }} - - --container-name - - aaf-service - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-has-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -103,22 +51,13 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/etc/conductor/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf - mountPath: /usr/local/bin/log.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: log.conf - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} - name: {{ include "common.name" . }}-nginx image: {{ include "repositoryGenerator.image.nginx" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -127,13 +66,10 @@ spec: args: - "-c" - | - {{- if (include "common.needTLS" .) }} - grep -v '^$' /opt/bitnami/nginx/ssl/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /tmp/intermediate_root_ca.pem /tmp/AAF_RootCA.cer >> /opt/bitnami/nginx/org.onap.oof.crt - {{- end }} /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh ports: - containerPort: {{ .Values.service.internalPort }} + name: http {{- if .Values.liveness.enabled }} livenessProbe: tcpSocket: @@ -147,23 +83,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/bitnami/nginx/conf/nginx.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: nginx.conf - {{- if (include "common.needTLS" .) }} - - mountPath: /tmp/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /tmp/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -174,10 +97,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -188,8 +107,4 @@ spec: path: conductor.conf - key: log.conf path: log.conf -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml index f13e7cea9b..b77b592c08 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,29 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml index c850cb7752..0d7bd7c995 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml @@ -22,10 +22,6 @@ global: # global defaults # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -42,16 +38,15 @@ config: service: type: NodePort name: oof-has-api - externalPort: 8091 internalPort: 8091 - nodePort: 75 - portName: http + ports: + - name: http + port: 8091 + nodePort: '75' #backend container info uwsgi: internalPort: 8080 -ingress: - enabled: false replicaCount: 1 nodeSelector: {} affinity: {} @@ -61,18 +56,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -85,24 +80,6 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 -#sub-charts configuration -certInitializer: - nameOverride: oof-has-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/bitnami/nginx/ssl - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - - ingress: enabled: false service: @@ -112,6 +89,11 @@ ingress: config: ssl: "redirect" +readinessCheck: + wait_for: + apps: + - oof-has-controller + #Pods Service Account serviceAccount: nameOverride: oof-has-api diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml index 9713d7a497..9c155e8525 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Sservice - Controller name: oof-has-controller -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml index 92be670db6..2367da742e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml @@ -17,65 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - {{- if (include "common.needTLS" .) }} - - --container-name - - aaf-sms - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-cont-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -105,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -117,13 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -134,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -147,8 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml index d6da75fd18..7cbfafbc76 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml @@ -20,10 +20,6 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-controller diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml index 725545159c..142f6e563e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Service - Data Component name: oof-has-data -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml index 72ecd7db2d..765d3dbda4 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml @@ -17,62 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-data-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -102,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -114,19 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/aai_cert.cer - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_cert.cer - - mountPath: /usr/local/bin/aai_key.key - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_key.key - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -137,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -150,14 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh - {{- if (include "common.needTLS" .) }} - - key: aai_cert.cer - path: aai_cert.cer - - key: aai_key.key - path: aai_key.key - {{- end }} -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml index 93a335d29d..37e131ba91 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml @@ -20,10 +20,6 @@ global: # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-data diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml index b8e5521b93..2e7666ca06 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Sevice - Reservation Component name: oof-has-reservation -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml index b90a6f6e89..d7b53346e9 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml @@ -17,62 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-resrv-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" .}}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -102,9 +55,6 @@ spec: {{ end -}} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -114,13 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -131,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -144,8 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml index 651e832929..6a1bc53582 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml @@ -20,10 +20,6 @@ global: # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-reservation diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml index 9f5381be53..7fe3d0c8ca 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Service - Solver Component name: oof-has-solver -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml index 4499d9806e..5d9c0763b5 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml @@ -17,62 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-solvr-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -102,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -114,13 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -131,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -144,8 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml index 46ff033c82..e0a9b0cdd1 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml @@ -20,10 +20,6 @@ global: # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-solver diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer b/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer deleted file mode 100755 index 4c6eb916e6..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIBHjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN -MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk -aWF0ZUNBXzEwHhcNMTgwNDI1MTIxMzAxWhcNMTkwNDIwMTIxMzAxWjBtMQswCQYD -VQQGEwJVUzENMAsGA1UECgwET05BUDEZMBcGA1UECwwQb29mQG9vZi5vbmFwLm9y -ZzEOMAwGA1UECwwFT1NBQUYxJDAiBgNVBAMMG29vZi5hcGkuc2ltcGxlZGVtby5v -bmFwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGpQUtgLXG3 -dVikd/QC2Q24wzeTOeZzbx3PnidNYZT5K0sJ/TdnZF6O/4+9gXQ6AQS2Q8wfQ009 -MQAA5vhUaq5yZ2K+XAtEFGln1TxTFpGu3WDOwQ800Vw18Dk8WidrkzDJv489Bn1f -SSaPC0IaRB0K1d8BD63ZHgsuEY8lt31DX2wFWJcfN9mxNDzuLTZoLxtxKsedoZKH -rsOOILwXOhwuunfx40i6RQN/pFX6C2i8dtOA5OwUm9Q1RrZ2Tv1Uf4IURriH6bfZ -5n50yxTuL22TMYXsF/ohrdgwacuC0aV9ZSGhIZUJPyHVg7+QTBioHmoUJInVKuIx -kkC4lENbLYUCAwEAAaOB+jCB9zAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIG -wDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRp -ZmljYXRlMB0GA1UdDgQWBBQwbU5oHU2iYHCoVz4hFCvBW59cdTBUBgNVHSMETTBL -gBQd5lldG54KOKRipsGF8/PP1vGX6qEwpC4wLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTggEBMA4GA1UdDwEB/wQEAwIF4DAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBADEa -0VuxoFIygeQTqlizpHNwfApPmlAVSKDTWuEu4rhJs8GT61EuWZQPygXEUHCYmGvJ -GMwEGGIDGiQqxMqlqng46gksNJbi1ktXr6Du18qW7gziUd84ve8KcecjZru1Sk1e -UJ/6WEQVE17CHKcnzQZsMDakgP+61VgKbk5NlkeF/Qh4L6/3jY7g+xoXqaId5RT9 -BetmH/cMsj33lxQTs0fcXTbAQd6BX5ug854OJ1mU4ngJnNBdmn9Ow1bB71ohf5Xv -OEYX8+khjgjlmM0u1hBRL4qViv3y2Gzhpm1M8cETMDj4g0zIJytzIYMxO8XvDPCF -YmVZHXJDLsCogSOmmh0= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_key.key b/kubernetes/oof/components/oof-has/resources/config/aai_key.key deleted file mode 100755 index 246ff6d8cb..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_key.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvxjZPeQVkRACAggA -MBQGCCqGSIb3DQMHBAhWqwQCjZFCrASCBMjWG5wsC1WFJISJ5odMHzYOWOKLpaDP -7a/dxnBrV6gId/DTmzoqtiBCmQRqhnUuYok98DNUFGjR9JqztNNOf5eslzqCugsh -zVwCvsJYKvxxJ4Q8tow3DKx28I6EmOvwudMsL9c30OxpEWdlWmyFimu5JDdDvWUH -S0fWKebQETZ7lptiRX2IXhC3Ye6Wu/DowDYc5L4Z/Q8nwncMB3n2ntMX10pBrura -15/R18AvG5cDwcasTXz5WKIB/K2onvJfW0so2M8jApu2DF4MpEIN9Z973uTNFXcL -dgHKWtIl2WO38coedaXUILgsxLSSU27TG4F+7QMGjiKXUSWjN9+TD+8zWye/9OIW -qfVtoh+n7lWtzC3Axo1OmPInCkFb+I7QaDsJgsUn+ZWap7FVJFrYiz20UTzYYgAK -OukCgKiJTHOhTT1k0km34ROPmqOk6mH7IkioUSTmoP362RpIVTbKv2e5GKzhYfkk -27W3RRG/qoZLUTU2AaAyoGZlzXDkBFw2g4vxnhcfHeXX6jyJyQWOOOeRJ5B6uc+Y -4XmKKJvq5pFlxUDmVCZLRzjwpvYPTQwTQQ9t7kEZFI8B7TMkDqv62YlXyoWNDwPq -yLvDwPDicx33AZor8N/eDgIOE+TXQ0vEyphf0c9OcgneeJmEtn7IskEahv32ruMQ -uFAAuIUmQfXPNMXu3MYIUItvZDm3RUk3YJDj9c8YtvxDlzLytHu5QYJ3v7rvo+mG -XKwmnZouaNRLw5Y7Mff07BuTPuttyNadacuJtUjvv8qVOIeuxQ7nku6yqKKLTeJr -8E4/tYyZ15FIo3hWi16h3zyZ9LiHhhe7d2XYSVMuzuD4jkIdHbdgiKsCJn9mI5PF -VpDF34w1Fjwv7Gu32MRMpJijAW10ENaP1O2izr9l8jwo+CLgi5qa6a2YTYAZooqt -UjTLfEIQKbwFbq5L9Eb1uRw1lRR9SxcxdNQdY+mtx0x2BSmXVUEcyi6OG/8Lzf/1 -9VoE5UPfhSE7ogfbL8eraFlQmKL8f3h3Jx/XDvvKC8YXxgooEhV0BsofXmLdF0BK -bhXR1/JptLz8CJjtlBWQkmqj+ONOHFA9/4YHMNn5T1PBLNzQCZSjQXrDKxowLDsI -ozUyZ080c2LrJCf6zj6+fB3LDvHYfJ6LnYASCHJlNS0NVmRPiYB/dmoqF/iyAEjp -cKUUrbhs6U95aPMo0pPSCuhLKiibCo3Vz/9dvGb7pr6aj/ehOjrtKtGlYukBqNkS -RQK2kkL8IO+iPWs3aCnEhfeS+wNBMAtI/TEw6As2zseyb3/SylHjek4s1gs9MPdw -c3o2ArwMzmP0sfFIjYz+AyQm+5i/LSnkNjG0OU9ekGXy7Z4HAcko2Dv8/SmOVapP -cf8c55RUDlYJh9Ltn0W5fuNA6dykV7f9s8BIrZcnzTN+lifNhNlEYYcmyZwlCcX4 -NBLoH+ENW+Q7+nuhGcf52j/XgTaPZ0Eec8ZJdK7FzVDN4DWKM4KHD7DgpkOR7TZl -IKGNtdvb3SaGG83YlJhRkkr0C2KvB0Mz2dkAhOKX3NkBr5fY62IvuMdqD7VDjGAw -h/GBn0k5+gpVP0Uh6yWEla3CjM9GnUuMVcwIUAYSeW2rFu4iapK0gBwguR91cM1N -MA8= ------END ENCRYPTED PRIVATE KEY----- diff --git a/kubernetes/oof/components/oof-has/resources/config/bundle.pem b/kubernetes/oof/components/oof-has/resources/config/bundle.pem deleted file mode 100755 index 60121e751b..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/bundle.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNDA1MTQxNTQwWhcN -MTgwNjA0MTQxNTQwWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY3YPA/YQdz4kaZQzdRzWNjmn33WYAWZ8+ -EIz3PhkEzk7M1q9N7Icx2LvozMj4VH0yGz/HYlliHhw26ZRsjYMSR8zATsXl4oW9 -w9BrjuyvM3w8Ptxe8WbUFF9LJDGyXPeVvcXVo0iyh3QYPWC/AWmomN19MvBFN5vH -AvEG/7qtonViNfISW9Gr9LpXB0foCmUDBu/lV+SwRGajoCPqdZhZ6/L6/yqDvha2 -wsML/UZXlGhXAedt/xOKmT/dSXx/I0vWBVp6Tq4zu87yCvd+I6Tpa5HjttA2I5EV -zdHX+JYBPBBcVCyO9YQOYjJuoVDE4D5etY6dEipKG/KZF/rqAoqZAgMBAAGjZjBk -MB0GA1UdDgQWBBQd5lldG54KOKRipsGF8/PP1vGX6jAfBgNVHSMEGDAWgBRTVTPy -S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAmgeiitBDi/YEqFh2Cqp0VIEqw8hiuV87 -rADQWMK4hv5WXl3KJTjFAnWsYFUKrm6s1jNH16FyGExUQgwggob0Vt+MHiUs36jU -kyret/uE5qrjz+/J+i2XG6s1oKcDRVD/jU4qBygZWFBMuwl7sz8IEvaYXGM43s96 -Du3UF9E+V3aMppqkGWz6MnrTmANnWAlDAMeifcoexjrpxiKbp8f49HX1UzwFoeEg -RnVwNqgDWT66yGV6mbNl6FpE/U81RpCRY1ZJDeVTxbqIaG/UPV4hpQ+BEVBDF+cb -rGsvsNYYpWx5srIQ7WtGKIlaDFbfWPwnHDHegzr8ypAS3KNWULE+QXCbHWtB+b0Y -WhP/2F6Jjb+ByvJqQoE+nHEYBeUOZUUZC4IuQFNJ5Wy5P0CNXdheiWhdrBmG02Gy -KMi0FJx6BEoWM2xcdl6bn5j9mhF4TX7zgepNWlgTra4Z8Oz8iqbQk33/s2OKM4ic -6ZezUYhNp+MuUt4Se+ufNcGV65jnUKeROtWzNLwP+xwglEFlG8aNiAORthd7QJuT -Ey2cX7H7f38ENQ5YCriUk1nVLO9F66l/rNRzYZgQzRI3IvDW8vyM2TLW2mcZNsaf -qjFMcCDweV2FRb8eTbmWzzB2/xTVpGzVJqzwgE+U7UtJx5CZS3wPkvXuEgvcg1tY -m1r4NGYFvLM= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf index d650808036..511c0cd6de 100755 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/components/oof-has/resources/config/conductor.conf @@ -159,13 +159,13 @@ appkey = "" # # is_aaf_enabled. (boolean value) -is_aaf_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} +is_aaf_enabled = false # aaf_cache_expiry_hrs. (integer value) aaf_cache_expiry_hrs = 3 # aaf_url. (string value) -aaf_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ +aaf_url = # aaf_cert_file. (string value) #aaf_cert_file = @@ -175,7 +175,7 @@ aaf_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config # aaf_ca_bundle_file. (string value) #aaf_ca_bundle_file = -aaf_ca_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} +aaf_ca_bundle_file = # aaf_retries. (integer value) #aaf_retries = 3 @@ -194,11 +194,11 @@ aaf_ca_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_Roo # # is_enabled. (boolean value) -is_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} +is_enabled = false # Base URL for SMS, up to and not including the version, and without a trailing # slash. (string value) -aaf_sms_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} +aaf_sms_url = # Timeout for SMS API Call (integer value) @@ -234,8 +234,7 @@ complex_cache_refresh_interval = 60 # Base URL for A&AI, up to and not including the version, and without a # trailing slash. (string value) -#server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai -server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aai.port .Values.config.aai.plainPort }}/aai +server_url = http://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai # Timeout for A&AI Rest Call (string value) #aai_rest_timeout = 30 @@ -256,7 +255,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} +certificate_authority_bundle_file = # Username for AAI. (string value) username = OOF @@ -452,102 +451,6 @@ username = password = -[music_api] - -# -# From conductor -# - -# Base URL for Music REST API without a trailing slash. (string value) -#server_url = http://oof-has-music:8080/MUSIC/rest/v2 -server_url = https://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2 -version = v2 - -# DEPRECATED: List of hostnames (round-robin access) (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#hostnames = - -# DEPRECATED: Port (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#port = - -# DEPRECATED: Path (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#path = - -# Socket connection timeout (floating point value) -#connect_timeout = 3.05 - -# Socket read timeout (floating point value) -#read_timeout = 12.05 - -# Lock timeout (integer value) -#lock_timeout = 10 - -# Replication factor (integer value) -#replication_factor = 1 -replication_factor = 1 - -# Use mock API (boolean value) -#mock = false - -# (string value) -#music_topology = SimpleStrategy - -# Name of the first data center (string value) -#first_datacenter_name = - -# Number of replicas in first data center (integer value) -#first_datacenter_replicas = - -# Name of the second data center (string value) -#second_datacenter_name = - -# Number of replicas in second data center (integer value) -#second_datacenter_replicas = - -# Name of the third data center (string value) -#third_datacenter_name = - -# Number of replicas in third data center (integer value) -#third_datacenter_replicas = - -# new or old version (boolean value) -#music_new_version = -music_new_version = True - -# for version (string value) -#music_version = -music_version = "3.2.40" - -# username value that used for creating basic authorization header (string -# value) -#aafuser = -aafuser = conductor - -# password value that used for creating basic authorization header (string -# value) -#aafpass = -aafpass = c0nduct0r - -# AAF namespace field used in MUSIC request header (string value) -#aafns = -aafns = conductor - -# Enabling HTTPs mode (boolean value) -enable_https_mode = True - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer - - [prometheus] # @@ -680,8 +583,7 @@ concurrent = true # Base URL for SDC, up to and not including the version, and without a # trailing slash. (string value) #server_url = https://controller:8443/sdc -#server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc -server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdc.port .Values.config.sdc.plainPort }}/sdc +server_url = http://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc # Timeout for SDC Rest Call (string value) #sdc_rest_timeout = 30 @@ -704,7 +606,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} +certificate_authority_bundle_file = # Username for SDC. (string value) #username = @@ -749,7 +651,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} +certificate_authority_bundle_file = # Username for CPS. (string value) #username = @@ -770,7 +672,7 @@ get_ta_list_url = "/api/v1/execute/ran-coverage-area/get_ta_list" # Base URL for DCAE, up to and not including the version, and without a # trailing slash. (string value) -server_url = http://{{.Values.config.dcae.service}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} +server_url = http://{{.Values.config.dcae.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} # Timeout for DCAE Rest Call (string value) #dcae_rest_timeout = 30 @@ -793,7 +695,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} +certificate_authority_bundle_file = # Username for DCAE. (string value) #username = diff --git a/kubernetes/oof/components/oof-has/resources/config/nginx.conf b/kubernetes/oof/components/oof-has/resources/config/nginx.conf index 9272e8581c..1c1094dacb 100644 --- a/kubernetes/oof/components/oof-has/resources/config/nginx.conf +++ b/kubernetes/oof/components/oof-has/resources/config/nginx.conf @@ -11,17 +11,8 @@ http { server { -{{ if (include "common.needTLS" .) }} - listen 8091 ssl; - server_name oof; - ssl_certificate /opt/bitnami/nginx/org.onap.oof.crt; - ssl_certificate_key /opt/bitnami/nginx/ssl/local/org.onap.oof.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; -{{ else }} listen 8091; server_name oof; -{{ end }} location / { include /opt/bitnami/nginx/conf/uwsgi_params; diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 0c5397c5a8..33558c4567 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -27,11 +27,6 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-root-password name: &root-password '{{ include "common.release" . }}-has-etcd-root-password' type: password @@ -50,31 +45,20 @@ nodePortPrefix: 302 dataRootDir: /dockerdata-nfs config: dbBackend: etcd - aaf: - serviceName: aaf-service - port: 8100 aai: serviceName: aai - port: 8443 - plainPort: 80 + port: 80 msb: serviceName: msb-iag port: 80 - music: - serviceName: music - port: 8443 - sms: - serviceName: aaf-sms - port: 10443 sdc: serviceName: sdc-be - port: 8443 - plainPort: 8080 + port: 8080 cps: - service: cps-tbdmt + serviceName: cps-tbdmt port: 8080 dcae: - service: dcae-slice-analysis-ms + serviceName: dcae-slice-analysis-ms port: 8080 etcd: serviceName: &etcd-service oof-has-etcd @@ -89,24 +73,23 @@ flavor: small resources: small: limits: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "4Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} #component overrides oof-has-api: &has-config enabled: true - certSecret: *oof-certs config: etcd: userCredentialsExternalSecret: *user-creds @@ -115,8 +98,6 @@ oof-has-controller: *has-config oof-has-data: *has-config oof-has-reservation: *has-config oof-has-solver: *has-config -music: - enabled: false #etcd subchart configurations etcd: @@ -132,18 +113,18 @@ etcd: resources: &etcd-resources small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 75Mi + cpu: "10m" + memory: "70Mi" large: limits: - cpu: 200m - memory: 1Gi + cpu: "200m" + memory: "1Gi" requests: - cpu: 50m - memory: 300Mi + cpu: "50m" + memory: "300Mi" unlimited: {} etcd-init: @@ -160,6 +141,8 @@ etcd-init: keyPrefix: conductor flavor: *etcd-flavor resources: *etcd-resources + serviceAccount: + nameOverride: *job-name # Python doesn't support well dollar sign in password passwordStrengthOverride: basic diff --git a/kubernetes/oof/components/oof-templates/Chart.yaml b/kubernetes/oof/components/oof-templates/Chart.yaml index 92fea369db..946be1fd2d 100755 --- a/kubernetes/oof/components/oof-templates/Chart.yaml +++ b/kubernetes/oof/components/oof-templates/Chart.yaml @@ -18,10 +18,10 @@ apiVersion: v2 description: ONAP OOF helm templates name: oof-templates -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl b/kubernetes/oof/components/oof-templates/templates/_certificate.tpl deleted file mode 100644 index 4da128bcbb..0000000000 --- a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{- define "oof.certificate.volume" -}} -- name: {{ include "common.fullname" . }}-onap-certs - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "oof-onap-certs") }} - items: - - key: aaf_root_ca.cer - path: aaf_root_ca.cer - - key: intermediate_root_ca.pem - path: intermediate_root_ca.pem -{{- end -}} - diff --git a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer b/kubernetes/oof/resources/config/certs/aaf_root_ca.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem b/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem deleted file mode 100644 index b67866d160..0000000000 --- a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- - diff --git a/kubernetes/oof/resources/config/conf/common_config.yaml b/kubernetes/oof/resources/config/conf/common_config.yaml index d34967617b..394bece9d9 100644 --- a/kubernetes/oof/resources/config/conf/common_config.yaml +++ b/kubernetes/oof/resources/config/conf/common_config.yaml @@ -4,8 +4,6 @@ osdf_system: internal: 8699 # inside the Docker container, the app listens to this port external: 8698 # clients use this port on DockerHost osdf_ip_default: 0.0.0.0 -# # Important Note: At deployment time, we need to ensure the port mapping is done - ssl_context: {{ if (include "common.needTLS" .) }}['/opt/osdf/org.onap.oof.crt', '/opt/osdf/osaaf/local/org.onap.oof.key']{{ end }} osdf_temp: # special configuration required for "workarounds" or testing local_policies: @@ -113,6 +111,17 @@ policy_info: resources: - nst + nsst_selection: + policy_fetch: by_scope + policy_scope: + - + scope: + - OSDF_GUILIN + services: + - nsst + resources: + - nsst + subnet_selection: policy_fetch: by_scope policy_scope: diff --git a/kubernetes/oof/resources/config/conf/osdf_config.yaml b/kubernetes/oof/resources/config/conf/osdf_config.yaml index ff62bb6b0a..818d4f340a 100755 --- a/kubernetes/oof/resources/config/conf/osdf_config.yaml +++ b/kubernetes/oof/resources/config/conf/osdf_config.yaml @@ -11,14 +11,14 @@ placementDefaultMinorVersion: {{ .Values.config.placementDefaultMinorVersion }} placementDefaultPatchVersion: {{ .Values.config.placementDefaultPatchVersion }} # Credentials for Conductor -conductorUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.conductorUrl.https .Values.config.conductorUrl.http }} +conductorUrl: {{ .Values.config.conductorUrl.http }} conductorPingWaitTime: {{ .Values.config.conductorPingWaitTime }} conductorMaxRetries: {{ .Values.config.conductorMaxRetries }} # versions to be set in HTTP header conductorMinorVersion: {{ .Values.config.conductorMinorVersion }} # Policy Platform -- requires ClientAuth, Authorization, and Environment -policyPlatformUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.policyPlatformUrl.https .Values.config.policyPlatformUrl.http }} +policyPlatformUrl: {{ .Values.config.policyPlatformUrl.http }} policyPlatformEnv: {{ .Values.config.policyPlatformEnv }} # Credentials for DMaaP @@ -29,19 +29,16 @@ messageReaderTopic: {{ .Values.config.messageReaderTopic }} sdcUrl: {{ .Values.config.sdcUrl }} sdcONAPInstanceID: {{ .Values.config.sdcONAPInstanceID }} -is_aaf_enabled: {{ .Values.config.is_aaf_enabled }} -aaf_cache_expiry_mins: {{ .Values.config.aaf_cache_expiry_mins }} -aaf_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_url.https .Values.config.aaf_url.http }} +is_aaf_enabled: False +aaf_cache_expiry_mins: 5 +aaf_url: aaf_user_roles: - {{- range .Values.config.aaf_user_roles }} - - {{ . }} - {{- end }} # Secret Management Service from AAF -aaf_sms_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_sms_url.https .Values.config.aaf_sms_url.http }}.{{ include "common.namespace" . }}:{{ .Values.config.aaf_sms_port }} -aaf_sms_timeout: {{ .Values.config.aaf_sms_timeout }} -secret_domain: {{ .Values.config.secret_domain }} -aaf_ca_certs: {{ .Values.config.aaf_ca_certs }} +aaf_sms_url: +aaf_sms_timeout: 30 +secret_domain: '' +aaf_ca_certs: '' configClientType: {{ .Values.config.configClientType }} @@ -56,7 +53,7 @@ cpsCellListUrl: {{ .Values.config.cps.cellListUrl }} cpsNbrListUrl: {{ .Values.config.cps.nbrListUrl }} # AAI api -aaiUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaiUrl.https .Values.config.aaiUrl.http }} +aaiUrl: {{ .Values.config.aaiUrl.http }} aaiGetLinksUrl: {{ .Values.config.aaiGetLinksUrl }} aaiServiceInstanceUrl : {{ .Values.config.aaiServiceInstanceUrl }} aaiGetControllersUrl: {{ .Values.config.aaiGetControllersUrl }} @@ -65,7 +62,7 @@ aaiGetInterDomainLinksUrl: {{ .Values.config.aaiGetInterDomainLinksUrl }} dslQueryPath: /aai/v23/dsl?format= #DES api -desUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.desUrl.https .Values.config.desUrl.http }} +desUrl: {{ .Values.config.desUrl.http }} desApiPath: {{ .Values.config.desApiPath }} desHeaders: Accept: application/json diff --git a/kubernetes/oof/templates/deployment.yaml b/kubernetes/oof/templates/deployment.yaml index 31884c06bb..5eb0fc0c6a 100644 --- a/kubernetes/oof/templates/deployment.yaml +++ b/kubernetes/oof/templates/deployment.yaml @@ -18,61 +18,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - command: - - /app/ready.py - args: - - --container-name - - policy-xacml-pdp - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - {{- if (include "common.needTLS" .) }} - - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} http{{ if (include "common.needTLS" .) }}s{{ end }}://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/osdf/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-osdf-sms-readiness - {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -82,13 +36,10 @@ spec: args: - "-c" - | - {{- if (include "common.needTLS" .) }} - grep -v '^$' /opt/osdf/osaaf/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /opt/app/ssl_cert/intermediate_root_ca.pem /opt/app/ssl_cert/aaf_root_ca.cer >> /opt/osdf/org.onap.oof.crt - {{ end }} python osdfapp.py ports: - containerPort: {{ .Values.service.internalPort }} + name: http # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if .Values.liveness.enabled }} @@ -105,21 +56,9 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/osdf/config/osdf_config.yaml name: {{ include "common.fullname" . }}-config subPath: osdf_config.yaml - {{- if (include "common.needTLS" .) }} - - mountPath: /opt/app/ssl_cert/aaf_root_ca.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /opt/app/ssl_cert/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - {{- end }} - mountPath: /opt/osdf/config/common_config.yaml name: {{ include "common.fullname" . }}-config subPath: common_config.yaml @@ -129,8 +68,7 @@ spec: - mountPath: /opt/osdf/config/slicing_config.yaml name: {{ include "common.fullname" . }}-config subPath: slicing_config.yaml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -141,10 +79,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -157,6 +91,4 @@ spec: path: log.yml - key: slicing_config.yaml path: slicing_config.yaml -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/templates/ingress.yaml b/kubernetes/oof/templates/ingress.yaml index 8f87c68f1e..99c7f87970 100644 --- a/kubernetes/oof/templates/ingress.yaml +++ b/kubernetes/oof/templates/ingress.yaml @@ -1 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright (C) 2020 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/oof/templates/service.yaml b/kubernetes/oof/templates/service.yaml index b2da17a23f..418f89ac93 100644 --- a/kubernetes/oof/templates/service.yaml +++ b/kubernetes/oof/templates/service.yaml @@ -15,30 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/oof/values.yaml b/kubernetes/oof/values.yaml index f6867bd8bf..738df14015 100644 --- a/kubernetes/oof/values.yaml +++ b/kubernetes/oof/values.yaml @@ -19,23 +19,11 @@ global: nodePortPrefix: 302 persistence: {} -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: - - resources/config/certs/intermediate_root_ca.pem - - resources/config/certs/aaf_root_ca.cer - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/optf-osdf:3.0.7 +image: onap/optf-osdf:3.0.8 pullPolicy: Always # flag to enable debugging - application support required @@ -57,7 +45,6 @@ config: # Url and credentials for Conductor. conductorUrl: - https: https://oof-has-api:8091/v1/plans/ http: http://oof-has-api:8091/v1/plans/ conductorPingWaitTime: 10 conductorMaxRetries: 30 @@ -65,7 +52,6 @@ config: conductorMinorVersion: 0 # Url and credentials for the Policy Platform policyPlatformUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision # Policy Dev platform URL http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision policyPlatformEnv: TEST # Environment for policy platform # Credentials for the message reader - A placeholder. @@ -74,28 +60,14 @@ config: # Credentials for the SDC interface - A placeholder. sdcUrl: NA sdcONAPInstanceID: NA - #AAF Authentication - is_aaf_enabled: False - aaf_cache_expiry_mins: 5 - aaf_url: - https: https://aaf-service:8100 - http: http://aaf-service:8080 - aaf_user_roles: - - '/placement:org.onap.oof.access|*|read ALL' - - '/pci:org.onap.oof.access|*|read ALL' - # Secret Management Service from AAF - aaf_sms_url: - https: https://aaf-sms - http: http://aaf-sms - aaf_sms_port: 10443 - aaf_sms_timeout: 30 - secret_domain: osdf - aaf_ca_certs: /opt/app/ssl_cert/aaf_root_ca.cer + configClientType: cps + # config db api configDbUrl: http://configdb:8080 configDbGetCellListUrl: 'api/sdnc-config-db/v3/getCellList' configDbGetNbrListUrl: 'api/sdnc-config-db/v3/getNbrList' + # cps api cps: url: cps-tbdmt:8080/execute @@ -104,8 +76,7 @@ config: #aai api aaiUrl: - https: https://aai:8443 - http: http://aai:8080 + http: http://aai:80 aaiGetLinksUrl: /aai/v16/network/logical-links aaiServiceInstanceUrl : /aai/v20/nodes/service-instances/service-instance/ aaiGetControllersUrl: /aai/v19/external-system/esr-thirdparty-sdnc-list @@ -113,7 +84,6 @@ config: aaiGetInterDomainLinksUrl: /aai/v19/network/logical-links?link-type=inter-domain&operational-status=up #des api desUrl: - https: https://des.url:9000 http: http://des.url:8080 desApiPath: /datalake/v1/exposure/ desUsername: '' @@ -125,39 +95,23 @@ affinity: {} # Resource Limit flavor -By Default using small flavor: small -#sub-charts configuration -certInitializer: - nameOverride: oof-osdf-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/osdf/osaaf - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - # Segregation for Different environment (Small and Large) resources: small: limits: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" + unlimited: {} # probe configuration parameters liveness: @@ -172,9 +126,11 @@ readiness: service: type: NodePort name: oof-osdf - externalPort: 8698 internalPort: 8699 - nodePort: 48 + ports: + - name: http + port: 8698 + nodePort: '48' ingress: enabled: false service: @@ -188,7 +144,11 @@ ingress: oof-has: enabled: true - certSecret: *oof-certs + +readinessCheck: + wait_for: + services: + - policy-xacml-pdp #Pods Service Account serviceAccount: diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index 8ba1101d99..aec56cf9a1 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -19,15 +19,26 @@ apiVersion: v2 description: ONAP platform components name: platform -version: 12.0.0 +version: 13.0.1 dependencies: - name: oom-cert-service - version: ~12.x-0 - repository: 'file://components/oom-cert-service' + version: ~13.x-0 + repository: '@local' + condition: oom-cert-service.enabled - name: cmpv2-cert-provider - version: ~12.x-0 - repository: 'file://components/cmpv2-cert-provider' + version: ~13.x-0 + repository: '@local' + condition: cmpv2-cert-provider.enabled - name: chartmuseum - version: ~12.x-0 - repository: 'file://components/chartmuseum' + version: ~13.x-0 + repository: '@local' + condition: chartmuseum.enabled + - name: keycloak-init + version: ~13.x-0 + repository: '@local' + condition: keycloak-init.enabled + - name: oauth2-proxy + version: ~13.x-0 + repository: '@local' + condition: oauth2-proxy.enabled diff --git a/kubernetes/platform/components/chartmuseum/Chart.yaml b/kubernetes/platform/components/chartmuseum/Chart.yaml index ccf50f78fc..14a2d0b9e1 100644 --- a/kubernetes/platform/components/chartmuseum/Chart.yaml +++ b/kubernetes/platform/components/chartmuseum/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 description: ONAP Chart Museum name: chartmuseum -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml index cc07f27bb1..3956255fb2 100644 --- a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml +++ b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml @@ -79,5 +79,4 @@ spec: emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/platform/components/chartmuseum/values.yaml b/kubernetes/platform/components/chartmuseum/values.yaml index 05a8b1537b..7068990c7d 100644 --- a/kubernetes/platform/components/chartmuseum/values.yaml +++ b/kubernetes/platform/components/chartmuseum/values.yaml @@ -82,16 +82,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} \ No newline at end of file diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml index c48d31d7a4..a77fb20fd6 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP CMPv2 certificate external provider for cert-manager name: cmpv2-cert-provider -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml index ce5e410abe..3513c21d1a 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml @@ -43,8 +43,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index e387cc8e55..6d48efd453 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -15,7 +15,7 @@ # Global global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 busyboxRepository: registry.hub.docker.com @@ -35,14 +35,15 @@ deployment: logLevel: debug resources: limits: - cpu: 250m - memory: 128Mi + cpu: "250m" + memory: "100Mi" requests: - cpu: 100m - memory: 64Mi + cpu: "100m" + memory: "60Mi" readinessCheck: wait_for: - - oom-cert-service + services: + - oom-cert-service # CMPv2Issuer cmpv2issuer: diff --git a/kubernetes/platform/components/keycloak-init/.helmignore b/kubernetes/platform/components/keycloak-init/.helmignore new file mode 100644 index 0000000000..cf02291a2a --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +ci/ +examples/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml new file mode 100644 index 0000000000..44ac9f5213 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -0,0 +1,35 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 13.0.1 +description: ONAP Realm creation and configuration +name: keycloak-init +sources: +- https://github.com/adorsys/keycloak-config-cli + +# Keycloakx chart version: 1.6.0 +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: onap-keycloak-config-cli + version: 5.10.0 + repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/Makefile b/kubernetes/platform/components/keycloak-init/Makefile new file mode 100644 index 0000000000..5970a97115 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/Makefile @@ -0,0 +1,60 @@ +# Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/keycloak-init/components/Makefile b/kubernetes/platform/components/keycloak-init/components/Makefile new file mode 100644 index 0000000000..4ecfbc53cc --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/Makefile @@ -0,0 +1,59 @@ +# Copyright © 2020 Samsung Electronics, Orange, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml new file mode 100644 index 0000000000..abcf889834 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -0,0 +1,45 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +name: onap-keycloak-config-cli +description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. +home: https://github.com/adorsys/keycloak-config-cli +version: 5.10.0 +appVersion: 5.10.0 +maintainers: + - name: jkroepke + email: joe@adorsys.de + url: https://github.com/jkroepke +keywords: + - keycloak + - config + - import + - json + - continuous-integration + - keycloak-config-cli +sources: + - https://github.com/adorsys/keycloak-config-cli + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl new file mode 100644 index 0000000000..cc1ad7ad8d --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "keycloak-config-cli.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keycloak-config-cli.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak-config-cli.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "keycloak-config-cli.labels" -}} +helm.sh/chart: {{ include "keycloak-config-cli.chart" . }} +{{ include "keycloak-config-cli.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keycloak-config-cli.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keycloak-config-cli.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml new file mode 100644 index 0000000000..322db2b7a1 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml @@ -0,0 +1,103 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # Modifications © 2022, Deutsche Telekom + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +spec: + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- . | nindent 8 }} + {{- end }} + labels: + {{- include "keycloak-config-cli.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: keycloak-config-cli + image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ tpl .Values.image.tag $ }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + env: + {{- range $name, $value := .Values.env }} + - name: {{ $name | quote }} + value: {{ tpl $value $ | quote }} + {{- end }} + {{- range $name, $value := .Values.secrets }} + - name: {{ $name | quote }} + valueFrom: + secretKeyRef: + name: "{{ template "keycloak-config-cli.fullname" $ }}" + key: {{ $name | quote }} + {{- end }} + {{- if and .Values.existingSecret .Values.existingSecretKey }} + - name: "KEYCLOAK_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ tpl .Values.existingSecret . }}" + key: "{{ .Values.existingSecretKey }}" + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /config + {{- with .Values.extraVolumeMounts }} + {{- tpl . $ | nindent 12 }} + {{- end }} + {{ include "common.waitForJobContainer" . | indent 8 | trim }} + volumes: + - name: config + secret: + {{- if .Values.existingConfigSecret }} + secretName: "{{ tpl .Values.existingConfigSecret $ }}" + {{- else }} + secretName: "{{ template "keycloak-config-cli.fullname" . }}-config-realms" + {{- end }} + defaultMode: 0555 + {{- with .Values.extraVolumes }} + {{- tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.serviceAccount }} + serviceAccountName: "{{ tpl . $ }}" + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml new file mode 100644 index 0000000000..fa9363e9d0 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if not .Values.existingConfigSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }}-config-realms + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $config := .Values.config }} + {{- if hasKey $config "file" }} + {{ $name }}.json: "{{ tpl ($.Files.Get $config.file) $ | b64enc }}" + {{- else if hasKey $config "inline" }} + {{ $name }}.json: "{{ tpl (toJson $config.inline) $ | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml new file mode 100644 index 0000000000..94505289e6 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml @@ -0,0 +1,28 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if .Values.secrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $value := .Values.secrets }} + {{ $name }}: "{{ tpl $value $ | b64enc }}" + {{- end }} + {{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml new file mode 100644 index 0000000000..5f8d4a3fd5 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -0,0 +1,97 @@ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +global: + pullPolicy: Always + persistence: {} + dockerHubRepository: docker.io + +fullnameOverride: "" +nameOverride: "" + +image: + repository: adorsys/keycloak-config-cli + tag: "{{ .Chart.AppVersion }}-22.0.4" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + # - myRegistryKeySecretName + +# Count of re(!)tries. A value of 2 means 3 tries in total. +backoffLimit: 1 + +# annotations of the Job. Define helm post hook here +# currently disabled to see the results and to be compliant with ArgoCD +#annotations: +# "helm.sh/hook": "post-install,post-upgrade,post-rollback" +# "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation" +# "helm.sh/hook-weight": "5" + +labels: {} + +resources: {} + # limits: + # cpu: "100m" + # memory: "1Gi" + # requests: + # cpu: "100m" +# memory: "1Gi" + +env: + KEYCLOAK_URL: http://keycloak:8080 + KEYCLOAK_USER: admin + IMPORT_PATH: /config/ + +secrets: {} +# KEYCLOAK_PASSWORD: + +# Specifies an existing secret to be used for the admin password +existingSecret: "" + +# The key in the existing secret that stores the password +existingSecretKey: password + +securityContext: {} +containerSecurityContext: {} + +## Additional pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +## Extra Annotations to be added to pod +podAnnotations: {} + +config: {} + # : + # inline: + # realm: + # clients: [] + # : + # file: + +existingConfigSecret: "" + +# Add additional volumes, e.g. for custom secrets +extraVolumes: "" + +# Add additional volumes mounts, e. g. for custom secrets +extraVolumeMounts: "" + +wait_for_job_container: + containers: + - 'keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json new file mode 100644 index 0000000000..d845c60cfb --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json @@ -0,0 +1,426 @@ +{ + "id": "ONAP", + "realm": "ONAP", + "enabled": true, + "roles": { + "realm": [ + { + "name": "onap_admin", + "description": "User role for administration tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "user", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "admin", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_designer", + "description": "User role for designer tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_operator", + "description": "User role for operator tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "default-roles-onap", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "onap", + "attributes": {} + } + ] + }, + "groups": [ + { + "name": "admins", + "path": "/admins", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], + "clients": [ + { + "clientId": "oauth2-proxy", + "name": "Oauth2 Proxy", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp", + "redirectUris": [ + "*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "tls-client-certificate-bound-access-tokens": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "token.response.type.bearer.lower-case": "false", + "use.refresh.tokens": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "multivalued": "false", + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "groups", + "microprofile-jwt" + ] + }, + { + "clientId": "portal-app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "{{ .Values.portalUrl }}/*", + "http://localhost/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "User-Roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "roles", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId" : "portal-bff", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : true, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "frontchannel.logout.session.required" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "oidc.ciba.grant.enabled" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "require.pushed.authorization.requests" : "false", + "saml.client.signature" : "false", + "saml.allow.ecp.flow" : "false", + "id.token.as.detached.signature" : "false", + "saml.assertion.signature" : "false", + "client.secret.creation.time" : "1665048112", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml.artifact.binding" : "false", + "saml_force_name_id_format" : "false", + "acr.loa.map" : "{}", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "token.response.type.bearer.lower-case" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "name" : "Client Host", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientHost", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientHost", + "jsonType.label" : "String" + } + }, { + "name" : "Client IP Address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientAddress", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientAddress", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } + ], + "users": [ + { + "createdTimestamp" : 1664965113698, + "username" : "onap-admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ { + "type" : "password", + "createdDate" : 1664965134586, + "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_admin" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048354760, + "username" : "onap-designer", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sec_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_designer" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048547054, + "username" : "onap-operator", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_operator" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048112458, + "username" : "service-account-portal-bff", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "serviceAccountClientId" : "portal-bff", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap" ], + "clientRoles" : { + "realm-management" : [ "manage-realm", "manage-users" ] + }, + "notBefore" : 0, + "groups" : [ ] + } + ], + "clientScopes": [ + { + "name": "groups", + "description": "Membership to a group", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true" + } + } + ] + } + ], + "attributes": { + "frontendUrl": "{{ .Values.KEYCLOAK_URL }}", + "acr.loa.map": "{\"ABC\":\"5\"}" + } +} diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/platform/components/keycloak-init/templates/secret.yaml new file mode 100644 index 0000000000..0d9b387dfa --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/templates/secret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-config-cli-config-realms + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/realms/*json" }} +data: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml new file mode 100644 index 0000000000..a33ef2c932 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -0,0 +1,41 @@ +# Copyright © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + # Global ingress configuration + ingress: + enabled: false + virtualhost: + baseurl: "simpledemo.onap.org" + +KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" +PORTAL_URL: "https://portal-ui.simpledemo.onap.org" + +onap-keycloak-config-cli: + image: + pullSecrets: + - name: onap-docker-registry-key + #existingSecret: "keycloak-keycloakx-admin-creds" + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" + secrets: + KEYCLOAK_PASSWORD: secret + existingConfigSecret: "keycloak-config-cli-config-realms" + +serviceAccount: + nameOverride: keycloak-init + roles: + - read diff --git a/kubernetes/platform/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..825c007791 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/platform/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..13da57793c --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/Chart.yaml @@ -0,0 +1,34 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 13.0.0 +description: ONAP Oauth2-proxy +name: oauth2-proxy +sources: +- https://github.com/oauth2-proxy/manifests + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: onap-oauth2-proxy + version: 6.10.1 + repository: 'file://components/oauth2-proxy' \ No newline at end of file diff --git a/kubernetes/platform/components/oauth2-proxy/Makefile b/kubernetes/platform/components/oauth2-proxy/Makefile new file mode 100644 index 0000000000..5970a97115 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/Makefile @@ -0,0 +1,60 @@ +# Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/appc/components/Makefile b/kubernetes/platform/components/oauth2-proxy/components/Makefile old mode 100644 new mode 100755 similarity index 100% rename from kubernetes/appc/components/Makefile rename to kubernetes/platform/components/oauth2-proxy/components/Makefile diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..825c007791 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..b31b35f46d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml @@ -0,0 +1,41 @@ +name: onap-oauth2-proxy +version: 6.10.1 +apiVersion: v2 +appVersion: 7.4.0 +home: https://oauth2-proxy.github.io/oauth2-proxy/ +description: A reverse proxy that provides authentication with Google, Github or other providers +keywords: + - kubernetes + - oauth + - oauth2 + - authentication + - google + - github + - redis +dependencies: + - name: redis + version: ~16.13.2 + repository: https://charts.bitnami.com/bitnami + alias: redis + condition: redis.enabled + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + +sources: + - https://github.com/oauth2-proxy/oauth2-proxy + - https://github.com/oauth2-proxy/manifests +maintainers: + - name: desaintmartin + email: cedric@desaintmartin.fr + - name: tlawrie + - name: NickMeves + email: nicholas.meves@gmail.com + - name: JoelSpeed + email: joel.speed@hotmail.co.uk + - name: pierluigilenoci + email: pierluigi.lenoci@gmail.com +kubeVersion: ">=1.9.0-0" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md new file mode 100644 index 0000000000..9e18388501 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md @@ -0,0 +1,323 @@ +# oauth2-proxy + +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. + +## TL;DR; + +```console +$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +## Introduction + +This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 1.0.0 + +This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade. + +### To 2.0.0 + +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. + +Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0. + +### To 3.0.0 + +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false` + +### To 4.0.0 + +Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. +Therefore the `ingress.extraPaths` parameter needs to be updated to the new format. +See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. + +For the same reason `service.port` was renamed to `service.portNumber`. + +### To 5.0.0 + +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent. + +In order to upgrade, delete the Deployment before upgrading: + +```bash +kubectl delete deployment my-release-oauth2-proxy +``` + +This will introduce a slight downtime. + +For users who don't want downtime, you can perform these actions: + +- Perform a non-cascading removal of the deployment that keeps the pods running +- Add new labels to pods +- Perform `helm upgrade` + +### To 6.0.0 + +Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +## Configuration + +The following table lists the configurable parameters of the oauth2-proxy chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`affinity` | node/pod affinities | None +`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false` +`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap` +`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` +`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""` +`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""` +`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` +`config.clientID` | oauth client ID | `""` +`config.clientSecret` | oauth client secret | `""` +`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` +`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil` +`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` +`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` +`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` +`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false` +`alphaConfig.annotations` | Configmap annotations | `{}` +`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` +`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` +`alphaConfig.configData` | Arbitrary configuration data to append | `{}` +`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil` +`customLabels` | Custom labels to add into metadata | `{}` | +`config.google.adminEmail` | user impersonated by the google service account | `""` +`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` +`config.google.targetPrincipal` | service account to use/impersonate | `""` +`config.google.serviceAccountJson` | google service account json contents | `""` +`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` +`config.google.groups` | restrict logins to members of these google groups | `[]` +`containerPort` | used to customise port on the deployment | `""` +`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` +`extraContainers` | List of extra containers to be added to the pod | `[]` +`extraEnv` | key:value list of extra environment variables to give the binary | `[]` +`extraVolumes` | list of extra volumes | `[]` +`extraVolumeMounts` | list of extra volumeMounts | `[]` +`hostAlias.enabled` | provide extra ip:hostname alias for network name resolution. +`hostAlias.ip` | `ip` address `hostAliases.hostname` should resolve to. +`hostAlias.hostname` | `hostname` associated to `hostAliases.ip`. +`htpasswdFile.enabled` | enable htpasswd-file option | `false` +`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` +`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` +`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` +`image.pullPolicy` | Image pull policy | `IfNotPresent` +`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` +`image.tag` | Image tag | `""` (defaults to appVersion) +`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) +`ingress.enabled` | Enable Ingress | `false` +`ingress.className` | name referencing IngressClass | `nil` +`ingress.path` | Ingress accepted path | `/` +`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` +`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` +`ingress.annotations` | Ingress annotations | `nil` +`ingress.hosts` | Ingress accepted hostnames | `nil` +`ingress.tls` | Ingress TLS configuration | `nil` +`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` +`livenessProbe.initialDelaySeconds` | number of seconds | 0 +`livenessProbe.timeoutSeconds` | number of seconds | 1 +`nodeSelector` | node labels for pod assignment | `{}` +`deploymentAnnotations` | annotations to add to the deployment | `{}` +`podAnnotations` | annotations to add to each pod | `{}` +`podLabels` | additional labesl to add to each pod | `{}` +`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true +`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1 +`podSecurityContext` | Kubernetes security context to apply to pod | `{}` +`priorityClassName` | priorityClassName | `nil` +`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` +`readinessProbe.initialDelaySeconds` | number of seconds | 0 +`readinessProbe.timeoutSeconds` | number of seconds | 5 +`readinessProbe.periodSeconds` | number of seconds | 10 +`readinessProbe.successThreshold` | number of successes | 1 +`replicaCount` | desired number of pods | `1` +`resources` | pod resource requests & limits | `{}` +`revisionHistoryLimit` | maximum number of revisions maintained | 10 +`service.portNumber` | port number for the service | `80` +`service.appProtocol` | application protocol on the port of the service | `http` +`service.type` | type of service | `ClusterIP` +`service.clusterIP` | cluster ip address | `nil` +`service.loadBalancerIP` | ip of load balancer | `nil` +`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` +`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` +`serviceAccount.enabled` | create a service account | `true` +`serviceAccount.name` | the service account name | `` +`serviceAccount.annotations` | (optional) annotations for the service account | `{}` +`tolerations` | list of node taints to tolerate | `[]` +`securityContext.enabled` | enable Kubernetes security context on container | `false` +`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true` +`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` +`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` +`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` +`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil` +`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password` +`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` +`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""` +`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` +`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` +`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil` +`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password` +`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` +`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` +`topologySpreadConstraints` | List of pod topology spread constraints | `[]` +`redis.enabled` | Enable the redis subchart deployment | `false` +`checkDeprecation` | Enable deprecation checks | `true` +`metrics.enabled` | Enable Prometheus metrics endpoint | `true` +`metrics.port` | Serve Prometheus metrics on this port | `44180` +`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` +`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` +`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` +`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` +`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` +`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s` +`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` +`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` +`extraObjects` | Extra K8s manifests to deploy | `[]` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy \ + --set=image.tag=v0.0.2,resources.limits.cpu=200m +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## TLS Configuration + +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls). +Use ```values.yaml``` like: + +```yaml +... +extraArgs: + tls-cert-file: /path/to/cert.pem + tls-key-file: /path/to/cert.key + +extraVolumes: + - name: ssl-cert + secret: + secretName: my-ssl-secret + +extraVolumeMounts: + - mountPath: /path/to/ + name: ssl-cert +... +``` + +With a secret called `my-ssl-secret`: + +```yaml +... +data: + cert.pem: AB..== + cert.key: CD..== +``` + +## Extra environment variable templating +The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template. +This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values + + +```yaml +... +tplValue: "This is a test value for the tpl function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' +``` + +## Custom templates configuration +You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html). + +```yaml +config: + configFile: | + ... + custom_templates_dir = "/data/custom-templates" + +extraVolumes: + - name: custom-templates + configMap: + name: oauth2-proxy-custom-templates + +extraVolumeMounts: + - name: custom-templates + mountPath: "/data/custom-templates" + readOnly: true + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: oauth2-proxy-custom-templates + data: + sign_in.html: | + + + sign_in + + error.html: | + + + +

error

+

{{.StatusCode}}

+ + +``` +## Multi whitelist-domain configuration +For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section. + +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file. +In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/) + +```yaml +config: + ... + clientID="$YOUR_GOOGLE_CLIENT_ID" + clientSecret="$YOUR_GOOGLE_CLIENT_SECRET" + cookieSecret="$YOUR_COOKIE_SECRET" + configFile: | + ... + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + cookie_secure = "false" + cookie_domains = [ ".domain.com", ".otherdomain.io" ] + whitelist_domains = [ ".domain.com", ".otherdomain.io"] + provider = "google" +``` diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml new file mode 100644 index 0000000000..fc2ba605ad --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml new file mode 100644 index 0000000000..92dc451807 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml @@ -0,0 +1,4 @@ +extraArgs: + pass-authorization-header: "true" + request-logging: "true" + allowed-role: client_id:client_role diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml new file mode 100644 index 0000000000..5f47a5f479 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml @@ -0,0 +1,5 @@ +extraArgs: + - "--pass-authorization-header=true" + - "--request-logging=true" + - --allowed-role=client_id:client_role_A + - --allowed-role=client_id_B:client_role_C diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml new file mode 100644 index 0000000000..357dba9153 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml @@ -0,0 +1,6 @@ +tplValue: "This is a test value for the template function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml new file mode 100644 index 0000000000..e74a393db0 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml @@ -0,0 +1,14 @@ +ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hosts: + - chart-example.local + extraPaths: + - path: /* + pathType: ImplementationSpecific + backend: + service: + name: ssl-redirect + port: + name: use-annotation diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml new file mode 100644 index 0000000000..25b16272a7 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml @@ -0,0 +1 @@ +replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1 diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml new file mode 100644 index 0000000000..b7c8cea546 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml @@ -0,0 +1,4 @@ +# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext +--- +podSecurityContext: + fsGroup: 2000 diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml new file mode 100644 index 0000000000..e3418c39fa --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml @@ -0,0 +1,12 @@ +sessionStorage: + type: redis + redis: + clientType: "standalone" + password: "foo" +redis: + # provision an instance of the redis sub-chart + enabled: true + architecture: standalone + global: + redis: + password: "foo" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml new file mode 100644 index 0000000000..9d31c28541 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml @@ -0,0 +1,4 @@ +metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml new file mode 100644 index 0000000000..65977d921b --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml @@ -0,0 +1,21 @@ +extraEnv: + - name: TEST_ENV_VAR_2 + value: '{{ $.Release.Name }}' +ingress: + enabled: true + hosts: + - "{{ $.Release.Name }}.local" + tls: + - hosts: + - "{{ $.Release.Name }}.local" +oauth2-proxy: + checkDeprecation: false + config: + clientSecret: '{{ $.Release.Name }}' + configFile: | + oidc_issuer_url = "https://{{ $.Release.Name }}/dex" + +pass_authorization_header: "true" + +extraArgs: + pass-authorization-header: "{{ $.Values.pass_authorization_header }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt new file mode 100644 index 0000000000..aa749e0b9d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that oauth2-proxy has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl new file mode 100644 index 0000000000..f959f10e49 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl @@ -0,0 +1,23 @@ +{{/* +Returns the appropriate apiVersion for podDisruptionBudget object. +*/}} +{{- define "capabilities.podDisruptionBudget.apiVersion" -}} +{{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress object. +*/}} +{{- define "capabilities.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl new file mode 100644 index 0000000000..87c64493b7 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl @@ -0,0 +1,110 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oauth2-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oauth2-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oauth2-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "oauth2-proxy.labels" }} +helm.sh/chart: {{ include "oauth2-proxy.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: authentication-proxy +app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "oauth2-proxy.selectorLabels" }} +app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Get the secret name. +*/}} +{{- define "oauth2-proxy.secretName" -}} +{{- if .Values.config.existingSecret -}} +{{- printf "%s" .Values.config.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "oauth2-proxy.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "oauth2-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled -}} + {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Redis subcharts fullname +*/}} +{{- define "oauth2-proxy.redis.fullname" -}} +{{- if .Values.redis.enabled -}} +{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} +{{- else -}} +{{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} +{{- end -}} +{{- end -}} + +{{/* +Compute the redis url if not set explicitly. +*/}} +{{- define "oauth2-proxy.redis.StandaloneUrl" -}} +{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} +{{ .Values.sessionStorage.redis.standalone.connectionUrl }} +{{- else if .Values.redis.enabled -}} +{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} +{{- else -}} +{{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} +{{- end -}} +{{- end -}} + +{{/* +Returns the version +*/}} +{{- define "oauth2-proxy.version" -}} +{{ trimPrefix "v" (lower (.Values.image.tag | default (printf "v%s" .Chart.AppVersion))) }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl new file mode 100644 index 0000000000..f4a3cad0e4 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl @@ -0,0 +1,46 @@ +{{/* +Returns `true` if the API `ingressClassName` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsIngressClassName" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns `true` if the API `pathType` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsPathType" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the appropriate ingress `backend` fields depending on the Kubernetes API version. +e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}` +Where the dict must contain the following entries: +- `serviceName` {String} - Name of an existing service backend +- `servicePort` {String|Number} - Port name or port number of the service. +- `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection. +*/}} +{{- define "ingress.backend" -}} +{{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}} +{{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml new file mode 100644 index 0000000000..7ba0273ab2 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml @@ -0,0 +1,32 @@ +{{- if .Values.alphaConfig.enabled }} +{{- if not .Values.alphaConfig.existingConfig }} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- if .Values.alphaConfig.annotations }} + annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-alpha +data: + oauth2_proxy.yml: | + --- + server: + BindAddress: '0.0.0.0:4180' + {{- if .Values.alphaConfig.serverConfigData }} + {{- toYaml .Values.alphaConfig.serverConfigData | nindent 6 }} + {{- end }} + {{- if .Values.metrics.enabled }} + metricsServer: + BindAddress: '0.0.0.0:44180' + {{- if .Values.alphaConfig.metricsConfigData }} + {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.alphaConfig.configData }} + {{- toYaml .Values.alphaConfig.configData | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml new file mode 100644 index 0000000000..cf4e77eaaa --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -0,0 +1,17 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml new file mode 100644 index 0000000000..8a19ccb943 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.config.existingConfig }} +{{- if .Values.config.configFile }} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- if .Values.config.annotations }} + annotations: +{{ toYaml .Values.config.annotations | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +data: + oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml new file mode 100644 index 0000000000..4523591231 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml @@ -0,0 +1,345 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.alphaConfig.enabled }} + checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }} + {{- end }} + checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} + checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} +{{- if .Values.htpasswdFile.enabled }} + checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }} +{{- end }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 8 }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} + automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} + {{- if .Values.hostAlias.enabled }} + hostAliases: + - ip: {{ .Values.hostAlias.ip }} + hostnames: + - {{ .Values.hostAlias.hostname }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" + #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.alphaConfig.enabled }} + - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml + {{- else }} + - --http-address=0.0.0.0:4180 + - --https-address=0.0.0.0:4443 + {{- if .Values.metrics.enabled }} + - --metrics-address=0.0.0.0:44180 + {{- end }} + {{- end }} + {{- if .Values.config.cookieName }} + - --cookie-name={{ .Values.config.cookieName }} + {{- end }} + {{- if kindIs "map" .Values.extraArgs }} + {{- range $key, $value := .Values.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ tpl ($value | toString) $ }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "slice" .Values.extraArgs }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- if or .Values.config.existingConfig .Values.config.configFile }} + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} + {{- if .Values.authenticatedEmailsFile.enabled }} + {{- if .Values.authenticatedEmailsFile.template }} + - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} + {{- else }} + - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list + {{- end }} + {{- end }} + {{- with .Values.config.google }} + {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} + - --google-admin-email={{ .adminEmail }} + {{- if .useApplicationDefaultCredentials }} + - --google-use-application-default-credentials=true + {{- else }} + - --google-service-account-json=/google/service-account.json + {{- end }} + {{- if .targetPrincipal }} + - --google-target-principal={{ .targetPrincipal }} + {{- end }} + {{- end }} + {{- if .groups }} + {{- range $group := .groups }} + - --google-group={{ $group }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.htpasswdFile.enabled }} + - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt + {{- end }} + env: + {{- if .Values.proxyVarsAsSecrets }} + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: cookie-secret + {{- end }} + {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} + - name: OAUTH2_PROXY_SESSION_STORE_TYPE + value: "redis" + {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} + - name: OAUTH2_PROXY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.existingSecret }} + {{- else if .Values.sessionStorage.redis.password }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- else }} + name: {{ include "oauth2-proxy.redis.fullname" . }} + {{- end }} + key: {{ .Values.sessionStorage.redis.passwordKey }} + {{- end }} + {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} + - name: OAUTH2_PROXY_REDIS_USE_CLUSTER + value: "true" + - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME + value: {{ .Values.sessionStorage.redis.sentinel.masterName }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} + {{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- end }} + key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.extraEnv }} +{{ tpl (toYaml .Values.extraEnv) . | indent 8 }} + {{- end }} + ports: + {{- if .Values.containerPort }} + - containerPort: {{ .Values.containerPort }} + {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} + - containerPort: 4180 + {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} + - containerPort: 4443 + {{- else }} + {{- end}} + name: {{ .Values.httpScheme }} + protocol: TCP +{{- if .Values.metrics.enabled }} + - containerPort: 44180 + protocol: TCP + name: metrics +{{- end }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /ping + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + mountPath: /google + readOnly: true +{{- end }} +{{- end }} +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + name: configmain + subPath: oauth2_proxy.cfg +{{- end }} +{{- if .Values.alphaConfig.enabled }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml + name: configalpha + subPath: oauth2_proxy.yml +{{- end }} +{{- if .Values.authenticatedEmailsFile.enabled }} + - mountPath: /etc/oauth2-proxy + name: configaccesslist + readOnly: true +{{- end }} +{{- if .Values.htpasswdFile.enabled }} + - mountPath: /etc/oauth2_proxy/htpasswd + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + readOnly: true +{{- end }} +{{- if ne (len .Values.extraVolumeMounts) 0 }} +{{ toYaml .Values.extraVolumeMounts | indent 8 }} +{{- end }} +{{- if .Values.securityContext.enabled }} +{{- $securityContext := unset .Values.securityContext "enabled" }} + securityContext: + {{- toYaml $securityContext | nindent 10 }} +{{- end }} +{{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 6 }} +{{- end }} + volumes: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + secret: + secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.htpasswdFile.enabled }} + - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + secret: + secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} +{{- end }} + +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} + - name: configaccesslist + secret: + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: authenticated-emails-list +{{- end }} +{{- if .Values.authenticatedEmailsFile.template }} + secretName: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} +{{- end }} + +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - configMap: + defaultMode: 420 + name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} + name: configmain +{{- end }} +{{- if .Values.alphaConfig.enabled }} + - configMap: + defaultMode: 420 + name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: configalpha +{{- end }} +{{- if ne (len .Values.extraVolumes) 0 }} +{{ toYaml .Values.extraVolumes | indent 6 }} +{{- end }} +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} + - configMap: +{{- if .Values.authenticatedEmailsFile.template }} + name: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: authenticated-emails-list +{{- end }} + name: configaccesslist +{{- end }} + + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml new file mode 100644 index 0000000000..126d3e7a18 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml @@ -0,0 +1,12 @@ +{{- if .Values.checkDeprecation }} + {{- if .Values.service.port }} + {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} + {{- end }} + {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} + {{- range .Values.ingress.extraPaths }} + {{- if or (.backend.serviceName) (.backend.servicePort) }} + {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml new file mode 100644 index 0000000000..a9bb3b6ba8 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml new file mode 100644 index 0000000000..5703273d93 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-google +type: Opaque +data: + service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml new file mode 100644 index 0000000000..73fd758d16 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "oauth2-proxy.fullname" . -}} +{{- $servicePort := .Values.service.portNumber -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} + ingressClassName: {{ .Values.ingress.className | quote }} + {{- end }} + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ tpl $host $ | quote }} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ ) | nindent 14 }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..7cdbbbeabb --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }} +apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +spec: + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml new file mode 100644 index 0000000000..7a1555d8b3 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml @@ -0,0 +1,22 @@ +{{- $name := include "oauth2-proxy.name" . -}} +{{- $fullName := include "oauth2-proxy.fullname" . -}} +{{- $labels := include "oauth2-proxy.labels" . -}} +{{- with .Values.sessionStorage }} +{{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ $name }} + {{- $labels | indent 4 }} + name: {{ $fullName }}-redis-access +type: Opaque +data: + {{- if and .redis.password (not .redis.existingSecret) }} + {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }} + {{- end }} + {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }} + {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml new file mode 100644 index 0000000000..ce79db1dce --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -0,0 +1,18 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml new file mode 100644 index 0000000000..44fe67e96a --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file +type: Opaque +stringData: + users.txt: |- + {{- range $entries := .Values.htpasswdFile.entries }} + {{ $entries }} + {{- end -}} +{{- end }} \ No newline at end of file diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml new file mode 100644 index 0000000000..c9b3791f89 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }} +apiVersion: v1 +kind: Secret +metadata: +{{- if .Values.config.annotations }} + annotations: +{{ toYaml .Values.config.annotations | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +type: Opaque +data: + cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} + client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} + client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml new file mode 100644 index 0000000000..d9563ac283 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} + ports: + - port: {{ .Values.service.portNumber }} + targetPort: {{ .Values.httpScheme }} + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + protocol: TCP + {{- with .Values.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + name: {{ .Values.httpScheme }} + {{- if and .Values.metrics.enabled .Values.metrics.port }} + - port: {{ .Values.metrics.port }} + protocol: TCP + {{- with .Values.metrics.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + targetPort: metrics + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }} + nodePort: {{ .Values.metrics.nodePort }} + {{- end }} + name: metrics + {{- end }} + selector: + {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..6d0a9d7c59 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if or .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.serviceAccountName" . }} +automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml new file mode 100644 index 0000000000..9c29d1bfd1 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.metrics.servicemonitor.namespace }} + namespace: {{ .Values.metrics.servicemonitor.namespace }} +{{- else }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} + labels: + prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }} + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.metrics.servicemonitor.labels }} +{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}} +{{- end }} +spec: + jobLabel: {{ template "oauth2-proxy.fullname" . }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + path: "/metrics" + interval: {{ .Values.metrics.servicemonitor.interval }} + scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..8f81e15d03 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml @@ -0,0 +1,364 @@ +global: + quayRepository: quay.io + +# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). +# This is especially useful for `helm template` as capabilities are always empty +# due to the fact that it doesn't query an actual cluster +kubeVersion: + +# Oauth client configuration specifics +config: + # Add config annotations + annotations: {} + # OAuth client ID + clientID: "XXXXXXX" + # OAuth client secret + clientSecret: "XXXXXXXX" + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) + # Example: + # existingSecret: secret + cookieSecret: "XXXXXXXXXXXXXXXX" + # The name of the cookie that oauth2-proxy will create + # If left empty, it will default to the release name + cookieName: "" + google: {} + # adminEmail: xxxx + # useApplicationDefaultCredentials: true + # targetPrincipal: xxxx + # serviceAccountJson: xxxx + # Alternatively, use an existing secret (see google-secret.yaml for required fields) + # Example: + # existingSecret: google-secret + # groups: [] + # Example: + # - group1@example.com + # - group2@example.com + # Default configuration, to be overridden + configFile: |- + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + # Custom configuration file: oauth2_proxy.cfg + # configFile: |- + # pass_basic_auth = false + # pass_access_token = true + # Use an existing config map (see configmap.yaml for required fields) + # Example: + # existingConfig: config + +alphaConfig: + enabled: false + # Add config annotations + annotations: {} + # Arbitrary configuration data to append to the server section + serverConfigData: {} + # Arbitrary configuration data to append to the metrics section + metricsConfigData: {} + # Arbitrary configuration data to append + configData: {} + # Use an existing config map (see configmap-alpha.yaml for required fields) + existingConfig: ~ + +image: + #repository: "quay.io/oauth2-proxy/oauth2-proxy" + repository: "oauth2-proxy/oauth2-proxy" + # appVersion is used by default + tag: "" + pullPolicy: "IfNotPresent" + +# Optionally specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +# imagePullSecrets: + # - name: myRegistryKeySecretName + +# Set a custom containerPort if required. +# This will default to 4180 if this value is not set and the httpScheme set to http +# This will default to 4443 if this value is not set and the httpScheme set to https +# containerPort: 4180 + +extraArgs: {} +extraEnv: [] + +# -- Custom labels to add into metadata +customLabels: {} + +# To authorize individual email addresses +# That is part of extraArgs but since this needs special treatment we need to do a separate section +authenticatedEmailsFile: + enabled: false + # Defines how the email addresses file will be projected, via a configmap or secret + persistence: configmap + # template is the name of the configmap what contains the email user list but has been configured without this chart. + # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. + # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the + # provided value in restrictedUserAccessKey field. + template: "" + # The configmap/secret key under which the list of email access is stored + # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility + restrictedUserAccessKey: "" + # One email per line + # example: + # restricted_access: |- + # name1@domain + # name2@domain + # If you override the config with restricted_access it will configure a user list within this chart what takes care of the + # config map resource. + restricted_access: "" + annotations: {} + # helm.sh/resource-policy: keep + +service: + type: ClusterIP + # when service.type is ClusterIP ... + # clusterIP: 192.0.2.20 + # when service.type is LoadBalancer ... + # loadBalancerIP: 198.51.100.40 + # loadBalancerSourceRanges: 203.0.113.0/24 + # when service.type is NodePort ... + # nodePort: 80 + portNumber: 80 + # Protocol set on the service + appProtocol: http + annotations: {} + # foo.io/bar: "true" + +## Create or use ServiceAccount +serviceAccount: + ## Specifies whether a ServiceAccount should be created + enabled: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + automountServiceAccountToken: true + annotations: {} + +ingress: + enabled: false + # className: nginx + path: / + # Only used if API capabilities (networking.k8s.io/v1) allow it + pathType: ImplementationSpecific + # Used to create an Ingress record. + # hosts: + # - chart-example.local + # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) + # extraPaths: + # - path: /* + # pathType: ImplementationSpecific + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # tls: + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # limits: + # cpu: "100m" + # memory: "300Mi" + # requests: + # cpu: "100m" + # memory: "300Mi" + +extraVolumes: [] + # - name: ca-bundle-cert + # secret: + # secretName: + +extraVolumeMounts: [] + # - mountPath: /etc/ssl/certs/ + # name: ca-bundle-cert + +# Additional containers to be added to the pod. +extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + +priorityClassName: "" + +# Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts. +hostAlias: + enabled: false + # ip: "10.xxx.xxx.xxx" + # hostname: "auth.example.com" + +# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. +# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling +# topologySpreadConstraints: [] + +# Affinity for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# affinity: {} + +# Tolerations for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Node labels for pod assignment +# Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables +proxyVarsAsSecrets: true + +# Configure Kubernetes liveness and readiness probes. +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks +livenessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + +# Configure Kubernetes security context for container +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + enabled: false + runAsNonRoot: true + # allowPrivilegeEscalation: false + # runAsUser: 2000 + +deploymentAnnotations: {} +podAnnotations: {} +podLabels: {} +replicaCount: 1 +revisionHistoryLimit: 10 + +## PodDisruptionBudget settings +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +podDisruptionBudget: + enabled: true + minAvailable: 1 + +# Configure Kubernetes security context for pod +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +podSecurityContext: {} + +# whether to use http or https +httpScheme: http + +# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. +# Alternatively supply an existing secret which contains the required information. +htpasswdFile: + enabled: false + existingSecret: "" + entries: {} + # One row for each user + # example: + # entries: + # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy + +# Configure the session storage type, between cookie and redis +sessionStorage: + # Can be one of the supported session storage cookie|redis + type: cookie + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "standalone" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-sentinel-password" + # Redis sentinel master name + masterName: "" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + +# Enables and configure the automatic deployment of the redis subchart +redis: + # provision an instance of the redis sub-chart + enabled: false + # Redis specific helm chart settings, please see: + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + # redisPort: 6379 + # cluster: + # enabled: false + # slaveCount: 1 + +# Enables apiVersion deprecation checks +checkDeprecation: true + +metrics: + # Enable Prometheus metrics endpoint + enabled: true + # Serve Prometheus metrics on this port + port: 44180 + # when service.type is NodePort ... + # nodePort: 44180 + # Protocol set on the service for the metrics port + service: + appProtocol: http + servicemonitor: + # Enable Prometheus Operator ServiceMonitor + enabled: false + # Define the namespace where to deploy the ServiceMonitor resource + namespace: "" + # Prometheus Instance definition + prometheusInstance: default + # Prometheus scrape interval + interval: 60s + # Prometheus scrape timeout + scrapeTimeout: 30s + # Add custom labels to the ServiceMonitor resource + labels: {} + +# Extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: oauth2-proxy-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "oauth2-proxy" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client-id" + # - path: "client_secret" + # objectAlias: "client-secret" + # - path: "cookie_secret" + # objectAlias: "cookie-secret" + # secretObjects: + # - data: + # - key: client-id + # objectName: client-id + # - key: client-secret + # objectName: client-secret + # - key: cookie-secret + # objectName: cookie-secret + # secretName: oauth2-proxy-secrets-store + # type: Opaque diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..81a9986d3d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/values.yaml @@ -0,0 +1,74 @@ +onap-oauth2-proxy: + # Oauth client configuration specifics + config: + cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" + configFile: |- + email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email + + alphaConfig: + enabled: true + configData: + providers: + - clientID: "oauth2-proxy" + clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp" + id: oidc-istio + provider: oidc # We use the generic 'oidc' provider + loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth + #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token + redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token + profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo + validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo + scope: "openid email profile groups" + #allowedGroups: + # - admins # List all groups managed at our your IdP which should be allowed access + # - infrateam + # - anothergroup + oidcConfig: + emailClaim: email # Name of the clain in JWT containing the E-Mail + groupsClaim: groups # Name of the claim in JWT containing the Groups + userIDClaim: email # Name of the claim in JWT containing the User ID + audienceClaims: ["aud"] + insecureAllowUnverifiedEmail: true + insecureSkipIssuerVerification: true + skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it + issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP + jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs + upstreamConfig: + upstreams: + - id: static_200 + path: / + static: true + staticCode: 200 + # Headers that should be added to responses from the proxy + injectResponseHeaders: # Send this headers in responses from oauth2-proxy + - name: X-Auth-Request-Preferred-Username + values: + - claim: preferred_username + - name: X-Auth-Request-Email + values: + - claim: email + + extraArgs: + cookie-secure: "false" + cookie-domain: ".simpledemo.onap.org" # Replace with your base domain + cookie-samesite: lax + cookie-expire: 12h # How long our Cookie is valid + auth-logging: true # Enable / Disable auth logs + request-logging: true # Enable / Disable request logs + standard-logging: true # Enable / Disable the standart logs + show-debug-on-error: true # Disable in production setups + skip-provider-button: true # We only have one provider configured (Keycloak) + silence-ping-logging: true # Keeps our logs clean + whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: false + + +serviceAccount: + nameOverride: oauth2-proxy + roles: + - read + diff --git a/kubernetes/platform/components/oom-cert-service/Chart.yaml b/kubernetes/platform/components/oom-cert-service/Chart.yaml index 072de8c788..c71653b778 100644 --- a/kubernetes/platform/components/oom-cert-service/Chart.yaml +++ b/kubernetes/platform/components/oom-cert-service/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP Cert Service name: oom-cert-service -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: cmpv2Config - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index 5f80a7dc75..4c97359714 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -33,8 +33,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} volumes: {{- if .Values.global.addTestingComponents }} - name: cmp-servers-template-volume @@ -57,7 +56,7 @@ spec: command: - /app/ready.py args: - - --container-name + - --service-name - ejbca-ejbca env: - name: NAMESPACE @@ -67,6 +66,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: subsitute-envs image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index d9c215cd9e..52e7649d6f 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -61,18 +61,18 @@ flavor: small resources: small: limits: - cpu: 0.5 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.2 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 0.4 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml index a30dabbcc2..5cc7612473 100644 --- a/kubernetes/platform/values.yaml +++ b/kubernetes/platform/values.yaml @@ -32,6 +32,18 @@ global: # Application configuration defaults. ################################################################# +# Control deployment of Platform services at ONAP installation time +chartmuseum: + enabled: true +cmpv2-cert-provider: + enabled: true +oom-cert-service: + enabled: true +keycloak-init: + enabled: false +oauth2-proxy: + enabled: false + flavor: small # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 8f2723e72e..b305ef48e1 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022 Nordix Foundation +# Modifications Copyright © 2021, 2022, 2023, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,73 +18,82 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: policy-nexus - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled - name: policy-distribution - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled + - name: policy-clamp-ac-a1pms-ppnt + version: ~14.x-0 + repository: 'file://components/policy-clamp-ac-a1pms-ppnt' + condition: policy-clamp-ac-a1pms-ppnt.enabled + - name: policy-clamp-ac-kserve-ppnt + version: ~14.x-0 + repository: 'file://components/policy-clamp-ac-kserve-ppnt' + condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: policy-gui - version: ~12.x-0 + version: ~14.x-0 repository: 'file://components/policy-gui' condition: policy-gui.enabled - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index c91569f1ed..c8a2862326 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 7614a8c5b1..441955f1ed 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -5,10 +5,10 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "prometheus": true }, - "pdpStatusParameters":{ + "pdpStatusParameters": { "pdpGroup": "defaultGroup", "timeIntervalMs": 120000, "pdpType":"apex", @@ -25,18 +25,29 @@ ] }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "fetchTimeout": 15000, - "topicCommInfrastructure" : "dmaap" - }], - "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "topicCommInfrastructure" : "dmaap" - }] + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + }}], + "topicSinks" : [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..de3e6d1004 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -0,0 +1,115 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2022 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: ["/bin/sh", "-cx"] + args: + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; + cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} + volumeMounts: + - mountPath: /config-input + name: apexconfig-input + - mountPath: /config + name: apexconfig + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: [ "/bin/sh", "-cx" ] + args: + - id apexuser; + cat /home/apexuser/config/OnapPfConfig.json; + /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: REPLICAS + value: "{{ .Values.replicaCount }}" + volumeMounts: + - mountPath: /var/log/onap + name: policy-logs + - mountPath: /home/apexuser/config + name: apexconfig + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: policy-logs + emptyDir: {} + - name: apexconfig-input + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: apexconfig + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..4259381afe --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} + diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml index 6a4d28bc4b..f96e81074e 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,29 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml deleted file mode 100755 index 71320dc3eb..0000000000 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2018 Ericsson. All rights reserved. -# Modifications Copyright (C) 2020 AT&T Intellectual Property. -# Modifications Copyright © 2022 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 10 }} - - name: RESTSERVER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - - name: RESTSERVER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} - volumeMounts: - - mountPath: /config-input - name: apexconfig-input - - mountPath: /config - name: apexconfig - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - . {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"] - ports: - - containerPort: {{ .Values.service.externalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: REPLICAS - value: "{{ .Values.replicaCount }}" -{{- if not .Values.global.aafEnabled }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 12 }} -{{- end }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/onap - name: policy-logs - - mountPath: /home/apexuser/config - name: apexconfig - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: policy-logs - emptyDir: {} - - name: apexconfig-input - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: apexconfig - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index e366c4415e..3cea773d0f 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright © 2022 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +24,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} ################################################################# @@ -35,16 +35,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' - - uid: truststore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: keystore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - uid: policy-kafka-user externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' type: genericKV @@ -57,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.8.1 +image: onap/policy-apex-pdp:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -68,29 +58,6 @@ debugEnabled: false restServer: user: healthcheck password: zb!XztG34 -truststore: - password: Pol1cy_0nap -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-apex-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 101 - gid: 102 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -114,32 +81,37 @@ readiness: service: type: ClusterIP name: policy-apex-pdp - portName: http - externalPort: 6969 internalPort: 6969 - nodePort: 37 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -157,7 +129,7 @@ metrics: enabled: true port: policy-apex-pdp interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-apex-pdp-restserver-creds @@ -172,22 +144,24 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: consumer: - groupId: policy-group + groupId: policy-apex app: listener: policyPdpPapTopic: policy-pdp-pap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# -# Any new property can be added in the env by setting in overrides in the format mentioned below -# All the added properties must be in "key: value" format instead of yaml. + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-apex + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index 49c067b639..32c22cbe6c 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index bcee4d35d1..4e73dc0b5b 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,7 +21,9 @@ server: port: {{ .Values.service.internalPort }} ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false + servlet: + context-path: /policy/api/v1 spring: security.user: @@ -28,7 +31,8 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -43,6 +47,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy +{{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} policy-api: name: ApiGroup diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index c4946a8263..8de035e5d1 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,30 +1,22 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -34,6 +26,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -56,26 +55,13 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/api/bin/policy-api.sh /opt/app/policy/api/etc/mounted/apiParameters.yaml"] -{{- else }} command: ["/opt/app/policy/api/bin/policy-api.sh"] args: ["/opt/app/policy/api/etc/mounted/apiParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -92,21 +78,16 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/api/etc/mounted name: apiconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -117,10 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: apiconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -128,5 +105,4 @@ spec: - name: apiconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-api/templates/service.yaml b/kubernetes/policy/components/policy-api/templates/service.yaml index b5dee39e60..abb9a44bbe 100755 --- a/kubernetes/policy/components/policy-api/templates/service.yaml +++ b/kubernetes/policy/components/policy-api/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,28 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index ec80ba82f0..530f021d85 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +24,8 @@ global: nodePortPrefix: 304 persistence: {} - aafEnabled: true + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -41,45 +43,12 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-api-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.7.1 +image: onap/policy-api:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -87,11 +56,13 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -123,30 +94,35 @@ readiness: service: type: ClusterIP name: policy-api - portName: http - externalPort: 6969 internalPort: 6969 - nodePort: 40 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -164,7 +140,7 @@ metrics: enabled: true port: policy-api interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-api-user-creds diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml new file mode 100755 index 0000000000..e35dd3d6f0 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -0,0 +1,33 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp A1PMS Participant +name: policy-clamp-ac-a1pms-ppnt +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml new file mode 100755 index 0000000000..31aa1b746a --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -0,0 +1,85 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + +security: + enable-csrf: false + +participant: + intermediaryParameters: + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c00 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.A1PMSAutomationCompositionElement + typeVersion: 1.0.1 + + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8086 + servlet: + context-path: /onap/policy/clamp/acm/a1pmsparticipant + ssl: + enabled: false + + diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..b0d310e3de --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/a1pms-participant/error.log + + /var/log/onap/policy/a1pms-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/debug.log + + /var/log/onap/policy/a1pms-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/network.log + + /var/log/onap/policy/a1pms-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..4a0c2aaef4 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml @@ -0,0 +1,36 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{- if .Values.a1pmsconfig }} +{{ tpl (.Files.Glob "resources/config/A1pmsParticipantParameters.yaml").AsConfig . | indent 2 }} +{{ toYaml .Values.a1pmsconfig | indent 4 }} +{{- end }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..d34da146a5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-a1pms-ppnt-config + - mountPath: /config + name: ac-a1pms-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/A1pmsParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-a1pms-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-a1pms-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-a1pms-ppnt-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..3401d7f01f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml new file mode 100644 index 0000000000..19f522a71e --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml new file mode 100755 index 0000000000..5954d657f1 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -0,0 +1,140 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-a1pms-ppnt:7.1.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-a1pms-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +a1pmsconfig: + a1pms: + baseUrl: http://a1policymanagement.onap:8081 + headers: + content-type: application/json + endpoints: + health: /a1-policy/v2/rics + services: /a1-policy/v2/services + service: /a1-policy/v2/services/{service_id} + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-a1pms-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: http-a1pms-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: http-a1pms-api + port: 8086 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 1e820fe107..faa7014a79 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +19,16 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index 51d4b47a15..a04c37fe3d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,18 +26,6 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} -{{- if .Values.config.useStrimziKafka }} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -46,49 +34,40 @@ participant: intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: HttpParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.HttpParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c01 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + - + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.HttpAutomationCompositionElement + typeVersion: 1.0.0 + management: endpoints: @@ -100,5 +79,5 @@ server: servlet: context-path: /onap/httpparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index 044be0ff70..e502c1a091 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,10 +38,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-http-ppnt-config @@ -50,24 +51,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/http-participant.sh /opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/http-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +73,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-http-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +86,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-http-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +93,4 @@ spec: - name: ac-http-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 668d911f7e..17e4d31968 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,10 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -33,54 +36,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-http-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.3.1 +image: onap/policy-clamp-ac-http-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-http-ppnt + # application configuration restServer: user: participantUser @@ -98,9 +63,14 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -108,65 +78,54 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-http-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8084 - nodePort: 42 - flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-http-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 13507f9e37..aa6d08a3de 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2022, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index bbe905b282..14deab557b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -26,18 +26,6 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -48,54 +36,39 @@ participant: intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: K8sParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.KubernetesParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c02 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.K8SMicroserviceAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -110,7 +83,7 @@ server: servlet: context-path: /onap/policy/clamp/acm/k8sparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false logging: diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 54c595cc8f..8a6cf830ca 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -29,9 +29,8 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} {{- if .Values.repoList }} {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} {{ toYaml .Values.repoList | indent 4 }} -{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} -{{- end }} \ No newline at end of file +{{- end }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index e8650fe350..cfc2fc7fac 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,10 +38,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-k8s-ppnt-config @@ -50,24 +51,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/kubernetes-participant.sh /opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +73,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-k8s-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +86,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-k8s-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +93,4 @@ spec: - name: ac-k8s-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 3d2eeeec9d..407f5dd724 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,10 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -34,54 +37,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-k8s-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.3.1 +image: onap/policy-clamp-ac-k8s-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-k8s-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -98,7 +63,7 @@ nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -106,43 +71,46 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-k8s-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8083 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-k8s-ppnt + nameOverride: *componentName roles: - create # Update the config here for permitting repositories and protocols @@ -161,26 +129,20 @@ repoList: - https config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml new file mode 100755 index 0000000000..44c80ff879 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -0,0 +1,33 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp Kserve Participant +name: policy-clamp-ac-kserve-ppnt +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml new file mode 100755 index 0000000000..89cf9494a3 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -0,0 +1,100 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + cloud: + kubernetes: + enabled: false + discovery: + enabled: false + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + - io.kubernetes.client.spring.extended.manifests.config.KubernetesManifestsAutoConfiguration + - io.kubernetes.client.spring.extended.network.config.KubernetesLoadBalancerAutoConfiguration + +security: + enable-csrf: false + +participant: + intermediaryParameters: + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c04 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.KserveAutomationCompositionElement + typeVersion: 1.0.1 + - + typeName: org.onap.policy.clamp.acm.AutomationCompositionElement + typeVersion: 1.0.0 + +customresourcedefinition: + group: serving.kserve.io + version: v1beta1 + plural: inferenceservices + grace-period: 10 + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8087 + servlet: + context-path: /onap/policy/clamp/acm/kserveparticipant + ssl: + enabled: false + + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..897d62a487 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/kserve-participant/error.log + + /var/log/onap/policy/kserve-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/debug.log + + /var/log/onap/policy/kserve-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/network.log + + /var/log/onap/policy/kserve-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..d3e2833904 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml @@ -0,0 +1,32 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..8574979cbc --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-kserve-ppnt-config + - mountPath: /config + name: ac-kserve-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/KserveParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-kserve-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-kserve-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-kserve-ppnt-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml new file mode 100755 index 0000000000..b7e7364eab --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..339fe339c5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml new file mode 100644 index 0000000000..ac5ee0b72f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -0,0 +1,38 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml new file mode 100755 index 0000000000..6f737a0c23 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -0,0 +1,130 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-kserve-ppnt:7.1.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-kserve-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: kserve-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: kserve-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: kserve-api + port: 8087 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "700Mi" + requests: + cpu: "0.5" + memory: "700Mi" + large: + limits: + cpu: "2" + memory: "1.4Gi" + requests: + cpu: "1" + memory: "1.4Gi" + unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 59e1ab78f5..f860393f43 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +19,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index f24e0ff8c6..1cd4ba318c 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,18 +26,6 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -51,7 +39,7 @@ participant: port: 6969 userName: ${API_USER} password: ${API_PASSWORD} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: "false" allowSelfSignedCerts: true policyPapParameters: clientName: pap @@ -59,59 +47,44 @@ participant: port: 6969 userName: ${PAP_USER} password: ${PAP_PASSWORD} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: "false" allowSelfSignedCerts: true intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: org.onap.PM_Policy - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.PolicyParticipant - version: 2.3.1 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c03 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.PolicyAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -124,5 +97,5 @@ server: servlet: context-path: /onap/policyparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index a127885cce..9026309fa1 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,10 +46,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-pf-ppnt-config @@ -58,24 +59,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/policy-participant.sh /opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/policy-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -92,14 +81,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-pf-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -110,10 +94,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-pf-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -121,5 +101,4 @@ spec: - name: ac-pf-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index cf20bd1d56..b763699019 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,10 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -45,54 +48,16 @@ secrets: login: '{{ .Values.restServer.pap.user }}' password: '{{ .Values.restServer.pap.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-pf-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.3.1 +image: onap/policy-clamp-ac-pf-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-pf-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -114,12 +79,18 @@ restServer: nodeSelector: {} affinity: {} + ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -127,63 +98,55 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-pf-ppnt - useNodePortExt: true + name: *componentName + internalPort: 8085 ports: - name: http-api port: 8085 - nodePort: 42 flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-pf-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 12578aba5c..bdd6c99c53 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022 Nordix Foundation # ================================================================================ @@ -21,18 +21,16 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' + diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 3d192f4b6a..35e42c589d 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -44,18 +44,10 @@ spring: hibernate: dialect: org.hibernate.dialect.MariaDB103Dialect format_sql: true - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} + +metrics: + security: + disabled: false security: enable-csrf: false @@ -67,8 +59,7 @@ server: error: path: /error ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - + enabled: false runtime: participantParameters: @@ -81,45 +72,34 @@ runtime: topicParameterGroup: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: false fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# topicParameterGroup: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# fetchTimeout: 15000 -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + acmParameters: + toscaElementName: {{ .Values.customNaming.toscaElementName }} + toscaCompositionName: {{ .Values.customNaming.toscaCompositionName }} management: endpoints: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 361045af94..b0ea909e55 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,7 +41,14 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-galera-config-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -56,10 +63,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-runtime-config @@ -68,24 +76,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/acm-runtime.sh /opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] args: ["/opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -102,14 +98,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-runtime-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -120,10 +111,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-runtime-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -131,5 +118,4 @@ spec: - name: ac-runtime-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml new file mode 100644 index 0000000000..5601154ddd --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafka }} +{{ include "common.kafkatopic" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 7c7d07979b..cc399d38da 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,10 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -34,60 +37,22 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: runtime-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' login: '{{ .Values.config.policyAppUserName }}' password: '{{ .Values.config.policyAppUserPassword }}' passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-runtime-acm-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.3.1 +image: onap/policy-clamp-runtime-acm:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-runtime-acm + # flag to enable debugging - application support required debugEnabled: false @@ -95,33 +60,28 @@ debugEnabled: false config: policyAppUserName: runtimeUser policyAppUserPassword: none - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy.policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] + +kafkaTopic: + - name: *acRuntimeTopic + db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb @@ -136,7 +96,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -144,42 +104,54 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-runtime-acm - useNodePortExt: true + name: *componentName ports: - name: http-api port: 6969 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + - serviceAccount: policy-gui-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-runtime-acm + nameOverride: *componentName roles: - read + +wait_for_job_container: + containers: + - '{{ include "common.release" . }}-policy-galera-config' + +customNaming: + toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement + toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition \ No newline at end of file diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index 778bfb60c8..3de47d06e9 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-distribution/resources/config/config.json b/kubernetes/policy/components/policy-distribution/resources/config/config.json index 1aa9044eab..8def9aebd8 100755 --- a/kubernetes/policy/components/policy-distribution/resources/config/config.json +++ b/kubernetes/policy/components/policy-distribution/resources/config/config.json @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +27,7 @@ "port":6969, "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "prometheus": true }, "receptionHandlerParameters":{ @@ -56,27 +57,25 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", - "messageBusAddress": [ - "message-router.{{ include "common.namespace" . }}" - ], + "environmentName": "AUTO", + "isUseHttpsWithSdc": false, + "keyStorePath": "null", + "keyStorePassword": "null", + "activeserverTlsAuth": false, + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8080", "user": "${SDCBE_USER}", "password": "${SDCBE_PASSWORD}", + {{ with (first .Values.kafkaUser.acls) }} + "consumerId": "{{ .name }}-id", + "consumerGroup": "{{ .name }}", + {{ end }} "pollingInterval":20, "pollingTimeout":30, - "consumerId": "policy-id", "artifactTypes": [ "TOSCA_CSAR", "HEAT" ], - "consumerGroup": "policy-group", - "environmentName": "AUTO", - "keyStorePath": "null", - "keyStorePassword": "null", - "activeserverTlsAuth": false, - "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, - "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + "isFilterinEmptyResources": true } } }, @@ -99,7 +98,7 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + "useHttps": "false" }, "papParameters": { "clientName": "policy-pap", @@ -107,7 +106,7 @@ "port": 6969, "userName": "${PAP_USER}", "password": "${PAP_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + "useHttps": "false" }, "deployPolicies": true } diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml index 4745aac23b..62a3bfc98e 100755 --- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml @@ -20,24 +20,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -70,26 +58,19 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/distribution/bin/policy-dist.sh /opt/app/policy/distribution/etc/mounted/config.json"] -{{- else }} + env: + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config command: ["/opt/app/policy/distribution/bin/policy-dist.sh"] args: ["/opt/app/policy/distribution/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -105,14 +86,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/distribution/etc/mounted name: distributionconfig - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -123,10 +99,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: distributionconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -134,5 +106,4 @@ spec: - name: distributionconfig emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/service.yaml b/kubernetes/policy/components/policy-distribution/templates/service.yaml index f8fa5415ba..ef4f2613cf 100755 --- a/kubernetes/policy/components/policy-distribution/templates/service.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/service.yaml @@ -19,21 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index 22c8fc4ba9..fd2fe2e5df 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. +# Modifications Copyright (C) 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,16 +46,6 @@ secrets: login: '{{ .Values.sdcBe.user }}' password: '{{ .Values.sdcBe.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required ################################################################# # Global configuration defaults. @@ -67,13 +58,22 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.8.1 +image: onap/policy-distribution:3.1.0 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +#Strimzi Kafka User def +kafkaUser: + acls: + - name: policy-distribution + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] restServer: user: healthcheck @@ -87,27 +87,6 @@ papParameters: sdcBe: user: policy password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-distribution-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -131,29 +110,35 @@ readiness: service: type: ClusterIP name: policy-distribution - portName: http - externalPort: 6969 internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account @@ -171,7 +156,7 @@ metrics: enabled: true port: policy-distribution interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-distribution-restserver-creds diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 465d16bdf0..63c4984ac9 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +18,15 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index 22168e8753..2e6efae345 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -49,28 +49,22 @@ MYSQL_CMD= # Liveness LIVENESS_CONTROLLERS=* -# AAF - -AAF={{.Values.aaf.enabled}} -AAF_NAMESPACE=org.onap.policy -AAF_HOST=aaf-locate.{{.Release.Namespace}} - # HTTP Servers -HTTP_SERVER_HTTPS={{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} +HTTP_SERVER_HTTPS="false" PROMETHEUS=true # PDP-D DMaaP configuration channel -PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION -PDPD_CONFIGURATION_SERVERS=message-router +PDPD_CONFIGURATION_TOPIC=pdpd_configuration +PDPD_CONFIGURATION_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} PDPD_CONFIGURATION_CONSUMER_GROUP= PDPD_CONFIGURATION_CONSUMER_INSTANCE= PDPD_CONFIGURATION_PARTITION_KEY= # PAP-PDP configuration channel -POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP +POLICY_PDP_PAP_TOPIC=policy-pdp-pap POLICY_PDP_PAP_GROUP=defaultGroup POLICY_PDP_PAP_POLICYTYPES=onap.policies.controlloop.operational.common.Drools @@ -91,19 +85,19 @@ GUARD_DISABLED=false # DCAE DMaaP -DCAE_TOPIC=unauthenticated.DCAE_CL_OUTPUT -DCAE_SERVERS=message-router +DCAE_TOPIC=unauthenticated.dcae_cl_output +DCAE_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP -DMAAP_SERVERS=message-router -DMAAP_HTTPS={{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} +KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} +DMAAP_HTTPS="false" # AAI AAI_HOST=aai.{{.Release.Namespace}} -AAI_PORT={{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }} +AAI_PORT=8080 AAI_CONTEXT_URI= # MSO diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf index 761e8afef8..006388af61 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf @@ -15,4 +15,4 @@ # limitations under the License. */}} -POOLING_TOPIC=POOLING +POOLING_TOPIC=pooling diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf index a2a34056f1..c535a950b5 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf @@ -18,12 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if not .Values.global.aafEnabled }} -KEYSTORE_PASSWD={{.Values.keystore.password}} -{{- end }} - -TRUSTSTORE_PASSWD={{.Values.truststore.password}} - TELEMETRY_USER={{.Values.telemetry.user}} TELEMETRY_PASSWORD={{.Values.telemetry.password}} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml index 619d0d4441..c7322b1f94 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -15,34 +15,5 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort2 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} + diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index 7dee453771..ba0e2d1a41 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -17,25 +17,13 @@ apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -52,11 +40,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- if not .Values.nexus.offline }} - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.nexus.name }} env: - name: NAMESPACE @@ -64,23 +59,32 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - source {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - cp {{ .Values.certInitializer.credsPath }}/org.onap.policy.p12 ${POLICY_HOME}/etc/ssl/policy-keystore;\ - /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] - ports: - - containerPort: {{ .Values.service.externalPort }} - - containerPort: {{ .Values.service.externalPort2 }} + args: ["/opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: httpGet: @@ -92,7 +96,7 @@ spec: {{- end }} readinessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -103,10 +107,6 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - mountPath: /tmp/policy-install/config/{{ base $path }} name: drools-secret @@ -117,8 +117,7 @@ spec: name: drools-config subPath: {{ base $path }} {{- end }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -129,10 +128,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: drools-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -151,5 +146,4 @@ spec: path: {{ base $path }} mode: 0644 {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 7b55612a9a..710acd2c4f 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -41,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.11.1 +image: onap/policy-pdpd-cl:2.1.1 pullPolicy: Always # flag to enable debugging - application support required @@ -70,50 +70,24 @@ readiness: service: type: ClusterIP name: policy-drools-pdp - portName: http internalPort: 6969 - externalPort: 6969 - nodePort: 17 - internalPort2: 9696 - externalPort2: 9696 - nodePort2: 21 + ports: + - name: http + port: 6969 + - name: http-2 + port: 9696 ingress: enabled: false -# Default installation values to be overridden - -certInitializer: - nameOverride: policy-drools-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read server: jvmOpts: -server -XshowSettings:vm -aaf: - enabled: "false" - -keystore: - password: Pol1cy_0nap - -truststore: - password: Pol1cy_0nap - telemetry: user: demo@people.osaaf.org password: demo123456! @@ -127,7 +101,7 @@ nexus: db: name: policy-mariadb - user: policy_user + user: policy-user password: policy_user pap: @@ -183,18 +157,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "800Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "800Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1.6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1.6Gi" unlimited: {} #Pods Service Account @@ -212,7 +186,7 @@ metrics: enabled: true port: policy-drools-pdp-9696 interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-drools-pdp-telemetry-creds @@ -223,3 +197,24 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-drools-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-drools-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml index b2769c3e7a..28972b59b0 100644 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ b/kubernetes/policy/components/policy-gui/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,15 +21,12 @@ apiVersion: v2 description: ONAP Policy GUI name: policy-gui -version: 12.0.0 +version: 14.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml index 9be81d8ddd..f81a1b452a 100644 --- a/kubernetes/policy/components/policy-gui/resources/config/application.yml +++ b/kubernetes/policy/components/policy-gui/resources/config/application.yml @@ -1,18 +1,12 @@ server: port: 2443 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} -# enabled-protocols: TLSv1.2 -# client-auth: want -# key-store: file:${KEYSTORE} -# key-store-password: ${KEYSTORE_PASSWD} -# trust-store: file:${TRUSTSTORE} -# trust-store-password: ${TRUSTSTORE_PASSWD} + enabled: false clamp: url: - disable-ssl-validation: {{ (eq "true" (include "common.needTLS" .)) | ternary false true }} - disable-ssl-hostname-check: {{ (eq "true" (include "common.needTLS" .)) | ternary false true }} + disable-ssl-validation: true + disable-ssl-hostname-check: true apex-editor: upload-url: diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml index 5a43fc71b0..a236d5f558 100644 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-gui/templates/deployment.yaml @@ -20,24 +20,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -46,14 +34,6 @@ spec: - -c - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - - name: KEYSTORE - value: {{ .Values.certStores.keystoreLocation }} - - name: KEYSTORE_PASSWD - value: {{ .Values.certStores.keyStorePassword }} - - name: TRUSTSTORE - value: {{ .Values.certStores.truststoreLocation }} - - name: TRUSTSTORE_PASSWD - value: {{ .Values.certStores.trustStorePassword }} - name: POLICY_LOGS value: {{ .Values.log.path }} volumeMounts: @@ -67,7 +47,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - policy-clamp-runtime-acm env: - name: NAMESPACE @@ -78,7 +58,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness -{{ include "common.certInitializer.initContainer" . | nindent 6 }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: # side car containers {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} @@ -86,22 +72,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if not (include "common.onServiceMesh" .) }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] - env: -{{ else }} command: ["/opt/app/policy/gui/bin/policy-gui.sh"] env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{ end }} - name: CLAMP_URL value: http://policy-clamp-runtime-acm:6969 - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -116,7 +91,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - name: logs mountPath: {{ .Values.log.path }} - mountPath: /opt/app/policy/gui/etc/application.yml @@ -125,8 +100,7 @@ spec: - mountPath: /opt/app/policy/gui/etc/logback.xml name: policy-gui-config-processed subPath: logback.xml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -136,7 +110,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} @@ -150,5 +124,4 @@ spec: - name: policy-gui-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml index 827e93a4f2..36406228d5 100644 --- a/kubernetes/policy/components/policy-gui/templates/service.yaml +++ b/kubernetes/policy/components/policy-gui/templates/service.yaml @@ -18,29 +18,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 330d1fcac8..3338d8f724 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -22,52 +22,6 @@ global: # global defaults nodePortPrefix: 304 centralizedLoggingEnabled: true - #AAF service - aafEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - keystoreLocation: /opt/app/policy/gui/etc/ssl/policy-keystore - truststoreLocation: /opt/app/policy/gui/etc/ssl/policy-truststore - trustStorePassword: Pol1cy_0nap - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: policy-gui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); subChartsOnly: enabled: true @@ -75,7 +29,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.3.1 +image: onap/policy-gui:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -118,9 +72,11 @@ readiness: service: type: NodePort name: policy-gui - portName: http internalPort: 2443 - nodePort: 43 + ports: + - name: http + port: 2443 + nodePort: 43 # see https://wiki.onap.org/display/DW/OOM+NodePort+List @@ -128,12 +84,18 @@ ingress: enabled: false service: - baseaddr: "policy-ui" - name: "policygui" + name: "policy-gui" port: 2443 config: ssl: "redirect" -#resources: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + + #resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -147,18 +109,18 @@ ingress: resources: small: limits: - cpu: 1 - memory: 200Mi + cpu: "1" + memory: "700Mi" requests: - cpu: 1m - memory: 50Mi + cpu: "0.5" + memory: "700Mi" large: limits: - cpu: 1 - memory: 500Mi + cpu: "2" + memory: "1.4Gi" requests: - cpu: 10m - memory: 50Mi + cpu: "1" + memory: "1.4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index f2f65dd583..8d04647a75 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +18,18 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml index 4c945f4605..3d03338836 100755 --- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml @@ -17,24 +17,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: ["sh", "-c", "chown -R 200:200 /share"] @@ -48,25 +36,21 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.externalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: {{ .Values.readiness.path }} - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /sonatype-work name: nexus-data resources: @@ -85,9 +69,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: nexus-data {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -95,5 +76,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml index 6bec5619f6..6aee4ca230 100755 --- a/kubernetes/policy/components/policy-nexus/templates/service.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml @@ -15,28 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index ac0028d1d9..f10d55dcee 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -56,14 +56,18 @@ readiness: service: type: ClusterIP name: policy-nexus - portName: http - externalPort: 8081 internalPort: 8081 - nodePort: 36 + ports: + - name: http + port: 8081 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + ## Persist data to a persitent volume persistence: enabled: true @@ -79,18 +83,18 @@ resources: flavor: small small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1m - memory: 0.5Gi + cpu: "1m" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2m - memory: 1Gi + cpu: "2m" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 41ec369108..0634118a4f 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index b68e8d6a71..614116ae23 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -26,7 +26,8 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -41,27 +42,42 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} +{{- else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} server: port: 6969 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false + servlet: + context-path: /policy/pap/v1 pap: name: PapGroup aaf: false + topic: + pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} + notification.name: {{ .Values.config.kafka.topics.policyNotification }} + heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} pdpParameters: heartBeatMs: 120000 updateParameters: @@ -70,34 +86,54 @@ pap: stateChangeParameters: maxRetryCount: 1 maxWaitMs: 30000 - savePdpStatisticsInDb: false + savePdpStatisticsInDb: true topicParameterGroup: topicSources: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - fetchTimeout: 15000 - topicCommInfrastructure: dmaap - - topic: POLICY-HEARTBEAT - effectiveTopic: POLICY-PDP-PAP - consumerGroup: policy-pap - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - fetchTimeout: 15000 - topicCommInfrastructure: dmaap + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} topicSinks: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - topicCommInfrastructure: dmaap - - topic: POLICY-NOTIFICATION - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - topicCommInfrastructure: dmaap + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyNotification }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + # If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks # servers: # - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 @@ -113,20 +149,15 @@ pap: port: 6969 userName: "${API_USER}" password: "${API_PASSWORD}" - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttps: false basePath: policy/api/v1/healthcheck - clientName: distribution hostname: policy-distribution port: 6969 userName: "${DISTRIBUTION_USER}" password: "${DISTRIBUTION_PASSWORD}" - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttps: false basePath: healthcheck - - clientName: dmaap - hostname: message-router - port: {{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - basePath: topics management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index e05204249e..9ca8b84a47 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -33,8 +33,11 @@ spec: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config - env: +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: fieldRef: @@ -42,7 +45,14 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-db-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -65,10 +75,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: papconfig @@ -77,24 +88,15 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml"] -{{- else }} - command: ["/opt/app/policy/pap/bin/policy-pap.sh"] - args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} + + command: [ "/bin/sh", "-cx" ] + args: + - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml; + /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -112,21 +114,16 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} + scheme: "HTTP" successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/pap/etc/mounted name: papconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -137,10 +134,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: papconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -148,5 +141,4 @@ spec: - name: papconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 1d1561cd7c..484ff64a6c 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -25,7 +25,8 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -55,16 +56,6 @@ secrets: login: '{{ .Values.healthCheckRestClient.distribution.user }}' password: '{{ .Values.healthCheckRestClient.distribution.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: policy-kafka-user externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' type: genericKV @@ -73,34 +64,11 @@ secrets: value: '{{ .Values.config.someConfig }}' policy: generate -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-pap-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.7.1 +image: onap/policy-pap:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -109,11 +77,13 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -155,31 +125,38 @@ readiness: service: type: ClusterIP name: policy-pap - useNodePortExt: true ports: - name: http-api port: 6969 - nodePort: 42 + - name: debug-port + port: 5005 + protocol: TCP ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + - serviceAccount: portal-app-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -197,7 +174,7 @@ metrics: enabled: true port: http-api interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-pap-user-creds @@ -207,14 +184,17 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: + topics: + policyHeartbeat: policy-heartbeat + policyNotification: policy-notification + policyPdpPap: policy-pdp-pap consumer: - groupId: policy-group + groupId: policy-pap app: listener: policyPdpPapTopic: policy-pdp-pap + # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -226,3 +206,22 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-pap + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-notification + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index 4a5e8d15fa..a46d6128e8 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 12.0.0 +version: 14.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json index 0f1744a9e4..7bf6707136 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json @@ -26,7 +26,7 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "aaf": false, "prometheus": true }, @@ -35,25 +35,37 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "useHttps": "false", "aaf": false }, "applicationParameters": { "applicationPath": "/opt/app/policy/pdpx/apps" }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "fetchTimeout" : 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } }], "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "topicCommInfrastructure" : "dmaap" - }] + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 2da0035fa0..cda1aa4bae 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -20,24 +20,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -54,11 +42,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} @@ -72,6 +67,19 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} volumeMounts: - mountPath: /config-input name: pdpxconfig @@ -80,26 +88,13 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pdpx/bin/policy-pdpx.sh /opt/app/policy/pdpx/etc/mounted/config.json"] -{{- else }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -115,14 +110,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/pdpx/etc/mounted name: pdpxconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -133,10 +123,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -144,5 +130,4 @@ spec: - name: pdpxconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml index 42995c8985..3e76c2ba36 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml @@ -18,22 +18,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index 691e9ce855..15ef5e3de1 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -21,7 +21,6 @@ ################################################################# global: persistence: {} - aafEnabled: true ################################################################# # Secrets metaconfig @@ -45,54 +44,23 @@ secrets: login: '{{ .Values.apiServer.user }}' password: '{{ .Values.apiServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-xacml-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.7.1 +image: onap/policy-xacml-pdp:3.1.1 pullPolicy: Always +componentName: &componentName policy-xacml-pdp + # flag to enable debugging - application support required debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb @@ -127,35 +95,61 @@ readiness: service: type: ClusterIP - name: policy-xacml-pdp - portName: http - externalPort: 6969 + name: *componentName internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-xacml-pdp + nameOverride: *componentName roles: - read @@ -168,7 +162,7 @@ metrics: enabled: true port: policy-xacml-pdp interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-xacml-pdp-restserver-creds @@ -179,3 +173,26 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-xacml-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-xacml-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + + diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh index 866d422c14..d793a024df 100755 --- a/kubernetes/policy/resources/config/db.sh +++ b/kubernetes/policy/resources/config/db.sh @@ -17,12 +17,31 @@ # limitations under the License. */}} -mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; +mysqlcmd() { mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} "$@"; }; +i=5 +RESULT_VARIABLE=0 +echo "Check if user ${MYSQL_USER} is created in DB ${MYSQL_HOST}" +while [ $i -gt 0 ] && [ "$RESULT_VARIABLE" != 1 ] +do + i=$(( i-1 )) + RESULT_VARIABLE="$(mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" -se "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${MYSQL_USER}')")" + if [ "$RESULT_VARIABLE" = 1 ]; then + echo "User ${MYSQL_USER} exists" + else + echo "User ${MYSQL_USER} does not exist" + sleep 10 + fi +done +if [ "$RESULT_VARIABLE" != 1 ]; then + exit 1 +fi for db in migration pooling policyadmin policyclamp operationshistory clampacm do - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" + echo "Create DB ${db}" + mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + echo "Grand access for user ${MYSQL_USER}" + mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" done - -mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" +echo "Flush privileges" +mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 0df26568e5..3880d2383c 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -16,6 +16,7 @@ # limitations under the License. */}} +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -32,25 +33,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-galera-init spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-mariadb-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - - --container-name - - {{ index .Values "mariadb-galera" "service" "name" }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-galera-config - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }} + image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /dbcmd-config/db.sh @@ -72,11 +60,10 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if (include "common.onServiceMesh" .) }} - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 + image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: - /bin/sh @@ -101,6 +88,7 @@ spec: items: - key: db.sh path: db.sh +{{ end }} {{ if .Values.global.postgres.localCluster }} --- @@ -120,12 +108,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-pg-init spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-pg-config - image: {{ .Values.repository }}/{{ .Values.postgresImage }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /docker-entrypoint-initdb.d/db-pg.sh @@ -140,20 +128,19 @@ spec: /docker-entrypoint-initdb.d/db-pg.sh env: - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} - name: PG_HOST value: "{{ .Values.postgres.service.name2 }}" - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if (include "common.onServiceMesh" .) }} - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 + image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: - /bin/sh @@ -181,6 +168,7 @@ spec: {{ end }} --- +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: @@ -197,23 +185,29 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-galera-config spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-galera-db-migrator image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} @@ -242,11 +236,10 @@ spec: value: {{ .Values.dbmigrator.policy_home }} - name: SCRIPT_DIRECTORY value: "sql" - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if (include "common.onServiceMesh" .) }} - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 + image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: - /bin/sh @@ -271,7 +264,7 @@ spec: items: - key: db_migrator_policy_init.sh path: db_migrator_policy_init.sh - +{{ end }} {{ if .Values.global.postgres.localCluster }} --- apiVersion: batch/v1 @@ -290,23 +283,29 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }}-pg-config spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-pg-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-pg-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-pg-db-migrator image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} @@ -326,9 +325,9 @@ spec: - name: SQL_HOST value: "{{ .Values.postgres.service.name2 }}" - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: SQL_DB value: {{ .Values.dbmigrator.schema }} - name: POLICY_HOME @@ -336,12 +335,11 @@ spec: - name: SCRIPT_DIRECTORY value: "postgres" - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - resources: -{{ include "common.resources" . }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if (include "common.onServiceMesh" .) }} - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 + image: {{ include "repositoryGenerator.image.quitQuit" . }} imagePullPolicy: Always command: - /bin/sh diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index 1894d62a42..feb29f3b0c 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -13,19 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.acRuntimeTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.acRuntimeTopic.partitions }} - config: - retention.ms: {{ .Values.config.acRuntimeTopic.retentionMs }} - segment.bytes: {{ .Values.config.acRuntimeTopic.segmentBytes }} ---- + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: @@ -61,4 +49,3 @@ spec: config: retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }} segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }} -{{- end }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index 43edb64c83..ed399ed9c7 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -1,6 +1,5 @@ {{/* -# Copyright © 2022 Nordix Foundation -# Modifications Copyright © 2022 Nordix Foundation +# Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: @@ -29,11 +28,7 @@ spec: acls: - resource: type: group - name: {{ .Values.config.acRuntimeTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.acRuntimeTopic.name }} + name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }} operation: All - resource: type: topic @@ -47,4 +42,3 @@ spec: type: topic name: {{ .Values.config.policyNotificationTopic.name }} operation: All -{{- end }} diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index b3297278a9..9497c3c2c4 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +18,22 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true - mariadb: + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig mysqlDatabase: policyadmin - service: &mariadbService - name: &policy-mariadb policy-mariadb - internalPort: 3306 + service: &mariadbService policy-mariadb + internalPort: 3306 + nameOverride: *mariadbService + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: prometheusEnabled: false postgres: localCluster: false @@ -36,9 +43,11 @@ global: name3: tcp-pgset-replica container: name: postgres - kafkaBootstrap: strimzi-kafka-bootstrap + kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user - + kafkaTopics: + acRuntimeTopic: + name: policy.clamp-runtime-acm ################################################################# # Secrets metaconfig ################################################################# @@ -46,7 +55,19 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' policy: generate - uid: db-secret @@ -77,19 +98,6 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -120,39 +128,34 @@ policy-apex-pdp: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: - enabled: true + enabled: false db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-k8s-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-pf-ppnt: enabled: true restServer: apiUserExternalSecret: *policyApiCredsSecret papUserExternalSecret: *policyPapCredsSecret - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-http-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-nexus: - enabled: false - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-clamp-ac-a1pms-ppnt: + enabled: true +policy-clamp-ac-kserve-ppnt: + enabled: true policy-clamp-runtime-acm: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret +policy-nexus: + enabled: false + config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-gui: enabled: false @@ -163,14 +166,8 @@ policy-gui: # DB configuration defaults. ################################################################# -repository: nexus3.onap.org:10001 -pullPolicy: Always - -mariadb: - image: mariadb:10.5.8 - dbmigrator: - image: onap/policy-db-migrator:2.5.1 + image: onap/policy-db-migrator:3.1.0 schema: policyadmin policy_home: "/opt/app/policy" @@ -202,14 +199,6 @@ readiness: config: policyAppUserName: runtimeUser - useStrimziKafka: true - acRuntimeTopic: - name: policy-acruntime-participant - partitions: 10 - retentionMs: 7200000 - segmentBytes: 1073741824 - consumer: - groupId: policy-group policyPdpPapTopic: name: policy-pdp-pap partitions: 10 @@ -234,23 +223,27 @@ config: someConfig: blah mariadb-galera: - # mariadb-galera.config and global.mariadb.config must be equals + # mariadb-galera.config and global.mariadbGalera.config must be equals db: - user: policy_user + user: policy-user # password: externalSecret: *dbSecretName name: &mysqlDbName policyadmin rootUser: externalSecret: *dbRootPassSecretName - nameOverride: *policy-mariadb - # mariadb-galera.service and global.mariadb.service must be equals - service: *mariadbService + nameOverride: *mariadbService + # mariadb-galera.service and global.mariadbGalera.service must be equals + service: + name: *mariadbService replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: policy/maria/data serviceAccount: - nameOverride: *policy-mariadb + nameOverride: *mariadbService postgresImage: library/postgres:latest # application configuration override for postgres @@ -268,14 +261,18 @@ postgres: mountSubPath: policy/postgres/data mountInitPath: policy config: - pgUserName: policy_user + pgUserName: policy-user pgDatabase: policyadmin - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName + pgUserExternalSecret: *dbSecretName + pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: - wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + wait_for_postgres: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_mariadb: + services: + - '{{ include "common.mariadbService" . }}' restServer: policyPapUserName: policyadmin @@ -289,18 +286,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "200m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/portal-ng/.helmignore b/kubernetes/portal-ng/.helmignore new file mode 100644 index 0000000000..5483707e0d --- /dev/null +++ b/kubernetes/portal-ng/.helmignore @@ -0,0 +1,33 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ + diff --git a/kubernetes/portal-ng/Chart.yaml b/kubernetes/portal-ng/Chart.yaml new file mode 100644 index 0000000000..32a45042b4 --- /dev/null +++ b/kubernetes/portal-ng/Chart.yaml @@ -0,0 +1,36 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Next Generation Portal +name: portal-ng +version: 13.0.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: portal-ng-bff + version: ~13.x-0 + repository: '@local' + - name: portal-ng-preferences + version: ~13.x-0 + repository: '@local' + - name: portal-ng-history + version: ~13.x-0 + repository: '@local' + - name: portal-ng-ui + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/appc/Makefile b/kubernetes/portal-ng/Makefile similarity index 100% rename from kubernetes/appc/Makefile rename to kubernetes/portal-ng/Makefile diff --git a/kubernetes/portal-ng/README.md b/kubernetes/portal-ng/README.md new file mode 100644 index 0000000000..82813a6705 --- /dev/null +++ b/kubernetes/portal-ng/README.md @@ -0,0 +1,19 @@ + +# Helm Chart for the Portal Application \ No newline at end of file diff --git a/kubernetes/portal-ng/components/Makefile b/kubernetes/portal-ng/components/Makefile new file mode 100644 index 0000000000..08ed7cb9da --- /dev/null +++ b/kubernetes/portal-ng/components/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/portal-ng/components/portal-ng-bff/.helmignore b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml new file mode 100644 index 0000000000..ec9769d819 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml @@ -0,0 +1,49 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-bff +description: Helm chart of the backend for ONAP portal. This micro service follows the backend for frontend approach. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/portal-ng/components/portal-ng-bff/README.md b/kubernetes/portal-ng/components/portal-ng-bff/README.md new file mode 100644 index 0000000000..4baa4f2d08 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/README.md @@ -0,0 +1,8 @@ +# Portal-bff helm chart +This repository contains the chart for the portal-bff. + +# Redis chart +The app has a dependency to Redis. The chart for this was obtained from [artifacthub](https://artifacthub.io/packages/helm/bitnami/redis). For updates to that chart, go there click on `Install` and copy the direct link. Then do a +``` bash +wget -P charts/ https://charts.bitnami.com/bitnami/redis-16.8.7.tgz +``` diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml new file mode 100644 index 0000000000..b45ead6a52 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml new file mode 100644 index 0000000000..ef54110af4 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml new file mode 100644 index 0000000000..b686ac998b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml new file mode 100644 index 0000000000..a47b707284 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-bff/values.yaml b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml new file mode 100644 index 0000000000..b8b7c3d061 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml @@ -0,0 +1,59 @@ +global: {} + +# Default values for bff. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/bff + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 2 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9080 + ports: + - name: http + port: 9080 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak/auth + KEYCLOAK_REALM: ONAP + HISTORY_URL: http://portal-ng-history:9002 + PREFERENCES_URL: http://portal-ng-preferences:9001 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +secretEnv: + KEYCLOAK_CLIENT_ID: portal-bff + KEYCLOAK_CLIENT_SECRET: pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-bff + roles: + - read + diff --git a/kubernetes/portal-ng/components/portal-ng-history/.helmignore b/kubernetes/portal-ng/components/portal-ng-history/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml new file mode 100644 index 0000000000..27e7f58afd --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml @@ -0,0 +1,51 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-history +description: Helm chart of the history. This micro service provides the latest user actions of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: mongodb + version: 14.12.2 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-history/README.md b/kubernetes/portal-ng/components/portal-ng-history/README.md new file mode 100644 index 0000000000..0c0e7b34bb --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/README.md @@ -0,0 +1,2 @@ +# History helm chart +This repository contains the chart for the history service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml new file mode 100644 index 0000000000..f8c23479e1 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml new file mode 100644 index 0000000000..a2a924b488 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml @@ -0,0 +1,48 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml new file mode 100644 index 0000000000..9fee578d43 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml @@ -0,0 +1,25 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-history/values.yaml b/kubernetes/portal-ng/components/portal-ng-history/values.yaml new file mode 100644 index 0000000000..dc999841ef --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/values.yaml @@ -0,0 +1,81 @@ +global: {} + +image: + imageName: onap/portal-ng/history + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +imagePullSecrets: + - name: onap-docker-registry-key +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9002 + ports: + - name: http + port: 9002 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +secretEnv: + MONGO_USERNAME: dbuser + MONGO_PASSWORD: dbpassword + MONGO_DATABASE: history + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + MONGO_HOST: history-mongodb + MONGO_PORT: 27017 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +mongodb: + nameOverride: history-mongodb + service: + portName: tcp-mongodb + auth: + rootPassword: TrWAweN9y9eW + usernames: + - dbuser + passwords: + - dbpassword + databases: + - history + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "250m" + memory: "500Mi" + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-history + roles: + - read diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml new file mode 100644 index 0000000000..2ec186a800 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml @@ -0,0 +1,53 @@ +# Copyright (C) 2024 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-preferences +description: Helm chart of the preferences. This micro service provides the user preferences for the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: mongodb + version: 14.12.2 + repository: '@local' + + diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/README.md b/kubernetes/portal-ng/components/portal-ng-preferences/README.md new file mode 100644 index 0000000000..4ae034609d --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/README.md @@ -0,0 +1,2 @@ +# Preferences helm chart +This repository contains the chart for the preferences service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml new file mode 100644 index 0000000000..f8c23479e1 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml new file mode 100644 index 0000000000..a2a924b488 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml @@ -0,0 +1,48 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml new file mode 100644 index 0000000000..90c67ee74a --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml @@ -0,0 +1,25 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml new file mode 100644 index 0000000000..3639dace48 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml new file mode 100644 index 0000000000..2f6d1bae78 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml @@ -0,0 +1,82 @@ +global: {} + +# Default values for preferences. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/preferences + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9001 + ports: + - name: http + port: 9001 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +secretEnv: + MONGO_USERNAME: dbuser + MONGO_PASSWORD: dbpassword + MONGO_DATABASE: Preferences + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + MONGO_HOST: preferences-mongodb + MONGO_PORT: 27017 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +mongodb: + nameOverride: preferences-mongodb + service: + portName: tcp-mongodb + auth: + rootPassword: TrWAweN9y9eW + usernames: + - dbuser + passwords: + - dbpassword + databases: + - Preferences + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "250m" + memory: "500Mi" + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-preferences + roles: + - read diff --git a/kubernetes/portal-ng/components/portal-ng-ui/.helmignore b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml new file mode 100644 index 0000000000..4dcb25cc3a --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml @@ -0,0 +1,48 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-ui +description: Helm chart of the UI part of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg new file mode 100644 index 0000000000..a203d519ed --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg @@ -0,0 +1,220 @@ + + + + + + image/svg+xml + + + + + + + logo + Created with Sketch. + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg new file mode 100644 index 0000000000..2015be22f6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg @@ -0,0 +1,157 @@ + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg new file mode 100644 index 0000000000..84f9eeda35 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json new file mode 100644 index 0000000000..a69855d639 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json @@ -0,0 +1,128 @@ +{ + "items": [ + { + "id": 1, + "title": "Service Design and Creation (SDC)", + "description": "Open the SDC in a new tab", + "tooltipDE": "SDC ist das visuelle Modellierungs- und Designtool von ONAP. Es erstellt interne Metadaten, die Assets beschreiben, die von allen ONAP-Komponenten verwendet werden, sowohl zur Entwurfszeit als auch zur Laufzeit.", + "tooltipEN": "SDC is the ONAP visual modeling and design tool. It creates internal metadata that describes assets used by all ONAP components, both at design time and run time.", + "imageUrl": "sdc.svg", + "imageAltText": "SDC image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDC_URL) }}/sdc1/", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 3, + "title": "Policy Framework", + "description": "Open Policy GUI in a new tab", + "tooltipDE": "Das ONAP Policy Framework legt die Architektur des Frameworks dar und zeigt die APIs, die anderen Komponenten bereitgestellt werden, die mit dem Framework zusammenarbeiten.", + "tooltipEN": "ONAP Policy Framework lays out the architecture of the framework and shows the APIs provided to other components that interwork with the framework.", + "imageUrl": "onap.svg", + "imageAltText": "Policy image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.POLICY_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN" + ] + }, + { + "id": 4, + "title": "Service Orchestration (SO) Monitoring", + "description": "Open SO-Monitoring in a new tab", + "tooltipDE": "Der ONAP Service Orchestrator bietet die höchste Ebene der Service-Orchestrierung in der ONAP-Architektur.", + "tooltipEN": "The ONAP Service Orchestrator provides the highest level of service orchestration in the ONAP architecture.", + "imageUrl": "onap.svg", + "imageAltText": "SO-Monitoring image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SO_URL) }}", + "groups": [], + "roles": [ + "PORTAL_OPERATOR" + ] + }, + { + "id": 7, + "title": "Controller Design Studio (CDS)", + "description": "Open CDS in a new tab", + "tooltipDE": "Die CDS Designer Benutzeroberfläche ist ein Framework zur Automatisierung der Auflösung von Ressourcen für die Instanziierung und aller Konfigurationsbereitstellung, wie z. B. die Konfiguration von Day0, Day1 oder Day2.", + "tooltipEN": "CDS Designer UI is a framework to automate the resolution of resources for instantiation and any config provisioning operation, such as day0, day1, or day2 configuration.", + "imageUrl": "cds.svg", + "imageAltText": "CDS image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.CDS_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 9, + "title": "Holmes Rules", + "description": "Open Holmes in a new tab", + "tooltipDE": "Das Holmes-Projekt bietet Alarmkorrelation und -analyse für Telekommunikations-Cloudinfrastruktur und -Dienste, einschließlich Hosts, Vims, VNFs und NSs.", + "tooltipEN": "Holmes project provides alarm correlation and analysis for Telecom cloud infrastructure and services, including hosts, vims, VNFs and NSs.", + "imageUrl": "onap.svg", + "imageAltText": "Holmes image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.HOLMES_URL) }}/iui/holmes/default.html", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 10, + "title": "A&AI Browser", + "description": "Open the A&AI Browser in a new tab", + "tooltipDE": "AAI ist eine Komponente der ONAP-Laufzeit (Echtzeitansichten von Ressourcen, Services, Produkten, Kundenabonnements und deren Beziehungen).", + "tooltipEN": "AAI is a component of ONAP runtime (Real-time views of Resources, Services, Products, Customer Subscriptions and their relationships).", + "imageUrl": "onap.svg", + "imageAltText": "A&AI Browser image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.AAI_URL) }}/services/aai/webapp/index.html#/browse", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 11, + "title": "SDN-C Directed Graph Builder (SDC-C DGB)", + "description": "Open the SDN-C Directed Graph Builder in a new tab", + "tooltipDE": "SDNC DG soll eine Ausführungsumgebung für schnell geschriebene und hochgradig angepasste Serviceabläufe bereitstellen.", + "tooltipEN": "SDNC DG is to provide an execution environment for quickly written and highly customized service flows.", + "imageUrl": "sdnc-dg.svg", + "imageAltText": "SDN-C DG image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCDG_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 12, + "title": "SDN-C Open Daylight UI (SDN-C ODL)", + "description": "Open the SDN-C Open Daylight UI (SDN-C ODL) in a new tab", + "tooltipDE": "Das OpenDaylight Project ist ein kollaboratives Open-Source-Projekt, das von der Linux Foundation gehostet wird. Das Projekt dient als Plattform für Software-Defined Networking (SDN) zur offenen, zentralisierten Überwachung von Netzwerkgeräten.", + "tooltipEN": "The OpenDaylight Project is a collaborative open-source project hosted by The Linux Foundation. The project serves as a platform for software-defined networking (SDN) for open, centralized, network device monitoring.", + "imageUrl": "sdnc-odl.svg", + "imageAltText": "SDN-C ODL image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCODL_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + } + ] +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml new file mode 100644 index 0000000000..33d9cf3a51 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-icons + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/icons/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml new file mode 100644 index 0000000000..ef4ee2ea2c --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-json + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/tiles.json").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml new file mode 100644 index 0000000000..4895edd85b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml @@ -0,0 +1,30 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml new file mode 100644 index 0000000000..6a16384346 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml @@ -0,0 +1,78 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + volumeMounts: + - name: tiles-icons + mountPath: {{ .Values.nginx.tilesIconsPath }} + readOnly: true + - name: tiles-json + mountPath: {{ .Values.nginx.tilesPath }} + subPath: tiles.json + readOnly: true + resources: {{ include "common.resources" . | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + - name: tiles-icons + configMap: + name: {{ include "common.fullname" . }}-tiles-icons + - name: tiles-json + configMap: + name: {{ include "common.fullname" . }}-tiles-json + items: + - key: tiles.json + path: tiles.json diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml new file mode 100644 index 0000000000..bc2d2bc363 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/values.yaml b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml new file mode 100644 index 0000000000..bf28766bda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml @@ -0,0 +1,111 @@ +# Copyright © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + ingress: + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + +# Default values for ui. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/ui + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" +# This is the overall name on which this component is ar part of. +partOf: portal + +service: + type: ClusterIP + internalPort: 8080 + ports: + - name: http + port: 80 + port_protocol: http + +ingress: + enabled: true + service: + - baseaddr: "portal-ng-ui" + name: "portal-ng-ui" + port: 80 + config: + ssl: "redirect" + +resources: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +env: + BFF_URL: http://portal-ng-bff.onap.svc.cluster.local:9080 + NGINX_PORT: 8080 + KEYCLOAK_REALM: ONAP + KEYCLOAK_INTERNAL_URL: http://keycloakx-http.keycloak.svc.cluster.local + KEYCLOAK_HOSTNAME: https://keycloak-ui.simpledemo.onap.org + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-ui + roles: + - read + +nginx: + tilesPath: /usr/share/nginx/html/assets/tiles/tiles.json + tilesIconsPath: /usr/share/nginx/html/assets/images/tiles + +tiles: + SDC_URL: "sdc-fe-ui" + POLICY_URL: "policy-ui" + SO_URL: "so-admin-cockpit-ui" + CDS_URL: "cds-ui" + HOLMES_URL: "holmes-rule-mgmt-ui" + AAI_URL: "aai-sparkybe-api" + SDNCDG_URL: "sdnc-dgbuilder-ui" + SDNCODL_URL: "sdnc-web-ui" \ No newline at end of file diff --git a/kubernetes/portal-ng/values.yaml b/kubernetes/portal-ng/values.yaml new file mode 100755 index 0000000000..12862a1930 --- /dev/null +++ b/kubernetes/portal-ng/values.yaml @@ -0,0 +1,19 @@ +# Copyright (C) 2021 Bell Canada +# Modifications Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# + diff --git a/kubernetes/portal/.helmignore b/kubernetes/portal/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/portal/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/portal/Chart.yaml b/kubernetes/portal/Chart.yaml deleted file mode 100644 index 5b0816eba5..0000000000 --- a/kubernetes/portal/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Web Portal -name: portal -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: portal-app - version: ~12.x-0 - repository: 'file://components/portal-app' - - name: portal-cassandra - version: ~12.x-0 - repository: 'file://components/portal-cassandra' - - name: portal-mariadb - version: ~12.x-0 - repository: 'file://components/portal-mariadb' - - name: portal-sdk - version: ~12.x-0 - repository: 'file://components/portal-sdk' - - name: portal-widget - version: ~12.x-0 - repository: 'file://components/portal-widget' diff --git a/kubernetes/portal/Makefile b/kubernetes/portal/Makefile deleted file mode 100644 index eea1b7aefb..0000000000 --- a/kubernetes/portal/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/Makefile b/kubernetes/portal/components/Makefile deleted file mode 100644 index f09e21e75c..0000000000 --- a/kubernetes/portal/components/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/portal-app/.helmignore b/kubernetes/portal/components/portal-app/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-app/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-app/Chart.yaml b/kubernetes/portal/components/portal-app/Chart.yaml deleted file mode 100644 index 276f44f8fa..0000000000 --- a/kubernetes/portal/components/portal-app/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Portal application -name: portal-app -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties deleted file mode 100755 index 7020a40bb4..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# domain settings -#domain_class_location = - -# validator settings -#default_error_message = Default error message - -login_url_no_ret_val = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -user_attribute_name = user - -# User Session settings -roles_attribute_name = roles -role_functions_attribute_name = role_functions - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# ECOMP settings -ecomp_app_id = 1 -# Role settings -sys_admin_role_id = 1 -account_admin_role_id = 999 -restricted_app_role_id = 900 - -# Home Page index html -home_page = /index.html - -authentication_mechanism =DBAUTH - -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# -# Number of seconds to poll health (database operational, etc.) -# -health_poll_interval_seconds = 5 -# -# If a component is down a log entry will be written that triggers an alert. This parameter specifies how often this alert should be triggered -# if the component remains down. For example a value of 30, would translate to 30 * 60 seconds = 1800 seconds, or every 30 minutes -# -health_fail_alert_every_x_intervals = 30 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties deleted file mode 100644 index 791853db8f..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties +++ /dev/null @@ -1,4 +0,0 @@ -{{/* -# Encrypted Properties -*/}} -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml deleted file mode 100644 index 325da8e9e3..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml +++ /dev/null @@ -1,300 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${applicationLoggerPattern} - - - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${applicationLoggerPattern} - - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${defaultLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties deleted file mode 100644 index 1fc99383cd..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portal -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties deleted file mode 100755 index 63533621f7..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -authentication_server_url = http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/ -ecomp_openid_connect_client = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/openid_connect_login -ecomp_redirect_uri = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/welcome.htm diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties deleted file mode 100755 index 4da4854188..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Not used by portal -portal.api.impl.class = org.onap.portalsdk.core.onboarding.client.OnBoardingApiServiceImpl.not.used.by.portal -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -# for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -ueb_listeners_enable = true - -ueb_app_key = 7GkVcrO6sIDb3ngW -ueb_app_secret = uCYgKjWKK5IxPGNNZzYSSWo9 -ueb_app_mailbox_name = ECOMP-PORTAL-INBOX - -ueb_url_list = message-router -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX - -# Consumer group name for UEB topic. -# Use the special tag to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -role_access_centralized = remote - -ext_req_connection_timeout = 15000 -ext_req_read_timeout = 20000 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties deleted file mode 100755 index 34c7f1dee0..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -#mysql -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.hib.dialect = org.hibernate.dialect.MySQLDialect -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -hb.show_sql = false -hb.db_reconnect = true -hb.idle_connection_test_period = 3600 - -app_display_name = Portal -files_path = /tmp -context_root = ONAPPORTAL -# menu settings -menu_query_name = menuData -menu_properties_file_location = /WEB-INF/fusion/menu/ -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -application_menu_properties_name = menu.properties -business_direct_menu_set_name = BD -business_direct_menu_properties_name = bd.menu.properties -business_direct_menu_attribute_name = businessDirectMenuData - -application_user_id = 30000 -post_default_role_id = 1 - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -cache_config_file_path = /WEB-INF/conf/cache.ccf -cache_switch = 1 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - - -#Cron Schedules -cron_site_name = one -log_cron = 0 * * * * ? * -sessiontimeout_feed_cron = 0 0/5 * * * ? * - -#Front end URL -frontend_url = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/applicationsHome - - -# An Unqiue 128-bit value defined to indentify a specific version of -# ECOMP Portal deployed on a specific virtual machine. -# This value must be generated and updated at the time of -# the deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid = 90bc9497-10e6-49fe-916b-dcdfaa972383 - -elastic_search_url = http:// -contact_us_link = http:// -user_guide_link = http:// - -# Contact Us page properties -ush_ticket_url = http:// -feedback_email_address = portal@lists.onap.org -portal_info_url = https:// - -#Online user bar refresh interval, in seconds -online_user_update_rate = 30 - -#Online user bar refresh total duration, in seconds -online_user_update_duration = 300 - -#authenticate user server -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#window width threshold to collapse left/right menu when page onload -window_width_threshold_left_menu = 1400 -window_width_threshold_right_menu = 1350 - -# User notification refresh interval and duration, in seconds -notification_update_rate = 90 -notification_update_duration = 900 - -#Microservices Related Properties for Portal -microservices.widget.protocol = http -microservices.widget.hostname = portal-widget -microservices.widget.username = widget_user -microservices.widget.password = M+KcrCMVrR1rAxtiFE49n1uXC3FCkNBqFgeYsubEC/U= -#This property won't be needed after consul is functional on VMs - -microservices.widget.local.port = 8082 -microservices.m-learn.local.port = 8083 -#HALO API enable flag -external_access_enable = false - -#delete auditlog from number of days ago -auditlog_del_day_from = 365 - -#External system notification URL -external_system_notification_url= https://jira.onap.org/browse/ - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-app/resources/server/server.xml b/kubernetes/portal/components/portal-app/resources/server/server.xml deleted file mode 100644 index 38391ae774..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/server.xml +++ /dev/null @@ -1,157 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/server/web.xml b/kubernetes/portal/components/portal-app/resources/server/web.xml deleted file mode 100644 index 7c4f2a7275..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/web.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - fusion - - - - - - - - - - - org.onap.portalapp.portal.listener.UserSessionListener - - - - CorsFilter - org.apache.catalina.filters.CorsFilter - - cors.allowed.origins - http://www.portal.onap.org:9200,http://www.portal.onap.org:9000 - - - cors.allowed.methods - GET,POST,HEAD,OPTIONS,PUT,DELETE - - - cors.allowed.headers - EPService,JSESSIONID,X-ECOMP-RequestID,X-Widgets-Type,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers - - - cors.exposed.headers - Access-Control-Allow-Origin,Access-Control-Allow-Credentials - - - cors.support.credentials - true - - - cors.preflight.maxage - 10 - - - - - CorsFilter - /* - - - - SecurityXssFilter - org.onap.portalapp.filter.SecurityXssFilter - - - - SecurityXssFilter - /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/templates/NOTES.txt b/kubernetes/portal/components/portal-app/templates/NOTES.txt deleted file mode 100644 index 9a67a4c9bb..0000000000 --- a/kubernetes/portal/components/portal-app/templates/NOTES.txt +++ /dev/null @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-app/templates/configmap.yaml b/kubernetes/portal/components/portal-app/templates/configmap.yaml deleted file mode 100644 index a6d8234ee6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTAL/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml deleted file mode 100644 index 02926f59d6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/deployment.yaml +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-portal-db-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportal-scrubbed - - mountPath: /config - name: properties-onapportal -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/openid-connect.properties" - subPath: openid-connect.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml" - subPath: web.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/temp" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportal - emptyDir: - medium: Memory - - name: properties-onapportal-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportal - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-app/templates/ingress.yaml b/kubernetes/portal/components/portal-app/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-app/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-app/templates/secret.yaml b/kubernetes/portal/components/portal-app/templates/secret.yaml deleted file mode 100644 index 78fc709202..0000000000 --- a/kubernetes/portal/components/portal-app/templates/secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-app/templates/service.yaml b/kubernetes/portal/components/portal-app/templates/service.yaml deleted file mode 100644 index 523b950f8b..0000000000 --- a/kubernetes/portal/components/portal-app/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "portal", - "version": "v2", - "url": "/", - "protocol": "REST" - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{ if or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer") -}} - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml deleted file mode 100644 index 483a7f3568..0000000000 --- a/kubernetes/portal/components/portal-app/values.yaml +++ /dev/null @@ -1,179 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-app:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==! - -#AAF local config - -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-app-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: LoadBalancer - name: portal-app - portName: portal-app - externalPort: 8989 - internalPort: 8080 - nodePort: 15 - externalPort2: 8006 - internalPort2: 8005 - nodePort2: 13 - externalPort3: 8010 - internalPort3: 8009 - nodePort3: 14 - externalPort4: 8443 - internalPort4: 8443 - nodePort4: 25 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal-ui - name: "portal-app" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2.2 - memory: 800Mi - requests: - cpu: 30m - memory: 460Mi - large: - limits: - cpu: 4 - memory: 15Gi - requests: - cpu: 2 - memory: 8Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-app - roles: - - read diff --git a/kubernetes/portal/components/portal-cassandra/.helmignore b/kubernetes/portal/components/portal-cassandra/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-cassandra/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-cassandra/Chart.yaml b/kubernetes/portal/components/portal-cassandra/Chart.yaml deleted file mode 100644 index 21ec14daef..0000000000 --- a/kubernetes/portal/components/portal-cassandra/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal cassandra -name: portal-cassandra -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql deleted file mode 100644 index 21715a9e2a..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright (c) 2018 Amdocs, Bell Canada, AT&T -// Modifications Copyright (c) 2020 Nokia -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - -CREATE TABLE portal.health_check (primary_id text PRIMARY KEY, creation_time text); -insert into portal.health_check (primary_id,creation_time) values ('ECOMPPortal-25927','2018-05-25T20:14:39.408Z'); diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql deleted file mode 100644 index a9771bfa5d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql +++ /dev/null @@ -1,145 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - - -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; \ No newline at end of file diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql deleted file mode 100644 index 4f6148e3f1..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; diff --git a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt b/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml b/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml deleted file mode 100644 index 5cd33b43a2..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml deleted file mode 100644 index 9becdaa707..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{/* -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - - -c - - | - /opt/bitnami/scripts/cassandra/entrypoint.sh /opt/bitnami/scripts/cassandra/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - - containerPort: {{ .Values.service.internalPort5 }} - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - readinessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status | grep -E "^UN\\s+${POD_IP}" - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - lifecycle: - preStop: - exec: - command: - - bash - - -ec - - nodetool decommission - env: - - name: CASSANDRA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12}} - - name: CASSANDRA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12}} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CASSANDRA_PASSWORD_SEEDER - value: "yes" - - name: BITNAMI_DEBUG - value: "true" - - name: CASSANDRA_CLUSTER_NAME - value: cassandra - - name: CASSANDRA_NUM_TOKENS - value: "256" - - name: CASSANDRA_DATACENTER - value: dc1 - - name: CASSANDRA_ENDPOINT_SNITCH - value: SimpleSnitch - - name: CASSANDRA_RACK - value: rack1 - - name: CASSANDRA_ENABLE_RPC - value: "true" - {{- $flavor := include "common.flavor" . }} - {{- $heap := pluck $flavor .Values.heap | first }} - {{- if (hasKey $heap "max") }} - - name: MAX_HEAP_SIZE - value: {{ $heap.max }} - {{- end }} - {{- if (hasKey $heap "new") }} - - name: HEAP_NEWSIZE - value: {{ $heap.new }} - {{- end }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: cassandra-docker-entrypoint-initdb - mountPath: /docker-entrypoint-initdb.d/aaa_portal.cql - subPath: portal.cql - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra/data - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: cassandra-docker-entrypoint-initdb - configMap: - name: {{ include "common.fullname" . }}-docker-entry-initd - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml b/kubernetes/portal/components/portal-cassandra/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml b/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/service.yaml b/kubernetes/portal/components/portal-cassandra/templates/service.yaml deleted file mode 100644 index 8f486c2175..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort5 }} - name: {{ .Values.service.portName }}5 - - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - name: {{ .Values.service.portName }}5 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml deleted file mode 100644 index c3ffb4ffec..0000000000 --- a/kubernetes/portal/components/portal-cassandra/values.yaml +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - - -# application image -image: bitnami/cassandra:3.11.9-debian-10-r30 -pullPolicy: Always - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.cassandraExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - -# application configuration -config: - cassandraUsername: root - cassandraPassword: Aa123456 -# cassandraCredsExternalSecret: some secret - cassandraJvmOpts: -Xmx2536m -Xms2536m - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/cassandra/data - -service: - type: ClusterIP - name: portal-cassandra - portName: portal-cassandra - externalPort: 9160 - internalPort: 9160 - externalPort2: 7000 - internalPort2: 7000 - externalPort3: 7001 - internalPort3: 7001 - externalPort4: 7199 - internalPort4: 7199 - externalPort5: 9042 - internalPort5: 9042 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 3.75Gi - requests: - cpu: 160m - memory: 3.1Gi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} - -heap: - # Heap size is tightly correlated to RAM limits. - # If limit > 8G, Cassandra should define itself the best value. - # If not, you must set up it in a coherent way with limits set - # Refer to https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/operations/opsTuneJVM.html#Determiningtheheapsize - # for more informations. - small: - max: 3G - new: 100M - large: {} - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-cassandra - roles: - - read diff --git a/kubernetes/portal/components/portal-mariadb/.helmignore b/kubernetes/portal/components/portal-mariadb/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-mariadb/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-mariadb/Chart.yaml b/kubernetes/portal/components/portal-mariadb/Chart.yaml deleted file mode 100644 index c12659d903..0000000000 --- a/kubernetes/portal/components/portal-mariadb/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MariaDB Service -name: portal-mariadb -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh deleted file mode 100644 index 709877943c..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ /dev/null @@ -1,384 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -# logging functions -mysql_log() { - local type - type="$1"; shift - printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" -} -mysql_note() { - mysql_log Note "$@" -} -mysql_warn() { - mysql_log Warn "$@" >&2 -} -mysql_error() { - mysql_log ERROR "$@" >&2 - exit 1 -} - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var - var="$1" - local fileVar - fileVar="${var}_FILE" - local def - def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - mysql_error "Both $var and $fileVar are set (but are exclusive)" - fi - local val - val="$def" - # val="${!var}" - # val="$(< "${!fileVar}")" - # eval replacement of the bashism equivalents above presents no security issue here - # since var and fileVar variables contents are derived from the file_env() function arguments. - # This method is only called inside this script with a limited number of possible values. - if [ "${!var:-}" ]; then - eval val=\$$var - elif [ "${!fileVar:-}" ]; then - val="$(< "$(eval echo "\$$fileVar")")" - fi - export "$var"="$val" - unset "$fileVar" -} - - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions -docker_process_init_files() { - # mysql here for backwards compatibility "${mysql[@]}" - mysql=( docker_process_sql ) - - echo - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - mysql_note "$0: running $f" - "$f" - else - mysql_note "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; - *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *) mysql_warn "$0: ignoring $f" ;; - esac - echo - done -} - -mysql_check_config() { - local toRun - local errors - toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) - if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors" - fi -} - -# Fetch value from server config -# We use mysqld --verbose --help instead of my_print_defaults because the -# latter only show values present in config files, and not server defaults -mysql_get_config() { - local conf - conf="$1"; shift - "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ - | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' - # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" -} - -# Do a temporary startup of the MySQL server, for init purposes -docker_temp_server_start() { - "$@" --skip-networking --socket="${SOCKET}" & - mysql_note "Waiting for server startup" - local i - for i in $(seq 30 -1 0); do - # only use the root password if the database has already been initializaed - # so that it won't try to fill in a password file when it hasn't been set yet - extraArgs="" - if [ "$DATABASE_ALREADY_EXISTS" = "false" ]; then - extraArgs=${extraArgs}" --dont-use-mysql-root-password" - fi - if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then - break - fi - sleep 1 - done - if [ "$i" = 0 ]; then - mysql_error "Unable to start server." - fi -} - -# Stop the server. When using a local socket file mysqladmin will block until -# the shutdown is complete. -docker_temp_server_stop() { - if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then - mysql_error "Unable to shut down server." - fi -} - -# Verify that the minimally required password settings are set for new databases. -docker_verify_minimum_env() { - if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')" - fi -} - -# creates folders for the database -# also ensures permission for user mysql of run as root -docker_create_db_directories() { - local user - user="$(id -u)" - - # TODO other directories that are used by default? like /var/lib/mysql-files - # see https://github.com/docker-library/mysql/issues/562 - mkdir -p "$DATADIR" - - if [ "$user" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql '{}' + - fi -} - -# initializes the database directory -docker_init_database_dir() { - mysql_note "Initializing database files" - installArgs=" --datadir=$DATADIR --rpm " - if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then - # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password - # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 - # (this flag doesn't exist in 10.0 and below) - installArgs=${installArgs}" --auth-root-authentication-method=normal" - fi - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')" - mysql_note "Database files initialized" -} - -if [ -z "$DATADIR" ]; then - DATADIR='unknown' -fi -if [ -z "$SOCKET" ]; then - SOCKET='unknown' -fi -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - DATABASE_ALREADY_EXISTS='false' -fi - -# Loads various settings that are used elsewhere in the script -# This should be called after mysql_check_config, but before any other functions -docker_setup_env() { - # Get config - DATADIR="$(mysql_get_config 'datadir' "$@")" - SOCKET="$(mysql_get_config 'socket' "$@")" - - # Initialize values that might be stored in a file - file_env 'MYSQL_ROOT_HOST' '%' - file_env 'MYSQL_DATABASE' - file_env 'MYSQL_USER' - file_env 'MYSQL_PASSWORD' - file_env 'MYSQL_ROOT_PASSWORD' - file_env 'PORTAL_DB_TABLES' - - if [ -d "$DATADIR/mysql" ]; then - DATABASE_ALREADY_EXISTS='true' - fi -} - -# Execute sql script, passed via stdin -# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args] -# ie: docker_process_sql --database=mydb <<<'INSERT ...' -# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb /dev/null; then - set -- mysqld "$@" - fi - - # skip setup if they aren't running mysqld or want an option that stops mysqld - if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then - mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." - - mysql_check_config "$@" - # Load various environment variables - docker_setup_env "$@" - docker_create_db_directories - - # If container is started as root user, restart as dedicated mysql user - if [ "$(id -u)" = "0" ]; then - mysql_note "Switching to dedicated user 'mysql'" - exec gosu mysql "$0" "$@" - fi - - # there's no database, so it needs to be initialized - if [ "$DATABASE_ALREADY_EXISTS" = "false" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") - do - echo "Granting portal user ALL PRIVILEGES for table $i" - echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" - done - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MySQL init process done. Ready for start up." - echo - fi - fi - exec "$@" -} - -# If we are sourced from elsewhere, don't perform any further actions -# https://stackoverflow.com/questions/2683279/how-to-detect-if-a-script-is-being-sourced/2942183#2942183 -if [ "$(basename $0)" = "docker-entrypoint.sh" ]; then - _main "$@" -fi diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql deleted file mode 100644 index f9db78ba4d..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql +++ /dev/null @@ -1,95 +0,0 @@ -/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*/ - -USE portal; -/* -Any updates required by OOM to the portaldb are made here. -1. split up SDC-FE and SDC-BE. Originally both FE and BE point to the same IP -while the OOM K8s version has these service split up. -*/ --- app_url is the FE, app_rest_endpoint is the BE ---portal-sdk => TODO: doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'https://portal-sdk:8443/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; ---dmaap-bc => the dmaap-bc doesn't open a node port.. -update fn_app set app_url = 'http://{{.Values.config.dmaapBcHostName}}:{{.Values.config.dmaapBcPort}}/ECOMPDBCAPP/dbc#/dmaap', app_rest_endpoint = 'http://dmaap-bc:8989/ECOMPDBCAPP/api/v2' where app_name = 'DMaaP Bus Ctrl'; ---sdc-be => 8443:30204 ---sdc-fe => 8181:30206, 9443:30207 -update fn_app set app_url = 'https://{{.Values.config.sdcFeHostName}}:{{.Values.config.sdcFePort}}/sdc1/portal', app_rest_endpoint = 'https://sdc-be:8443/api/v3' where app_name = 'SDC'; ---pap => 8443:30219 -update fn_app set app_url = 'https://{{.Values.config.papHostName}}:{{.Values.config.papPort}}/onap/policy', app_rest_endpoint = 'https://pap:8443/onap/api/v3' where app_name = 'Policy'; ---vid => 8080:30200 -update fn_app set app_url = 'https://{{.Values.config.vidHostName}}:{{.Values.config.vidPort}}/vid/welcome.htm', app_rest_endpoint = 'https://vid:8443/vid/api/v3' where app_name = 'Virtual Infrastructure Deployment'; ---sparky => TODO: sparky doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.aaiSparkyHostName}}:{{.Values.config.aaiSparkyPort}}/services/aai/webapp/index.html#/viewInspect', app_rest_endpoint = 'https://aai-sparky-be.{{.Release.Namespace}}:8000/api/v2' where app_name = 'A&AI UI'; ---cli => 8080:30260 -update fn_app set app_url = 'https://{{.Values.config.cliHostName}}:{{.Values.config.cliPort}}/', app_type = 1 where app_name = 'CLI'; ---msb-iag => 80:30280 -update fn_app set app_url = 'https://{{.Values.config.msbHostName}}:{{.Values.config.msbPort}}/iui/microservices/default.html' where app_name = 'MSB'; - - -/* -Create SO-Monitoring App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(10, 'SO-Monitoring', 'images/cache/portal-345993588_92550.png', NULL, NULL, 'http://{{.Values.config.soMonitoringHostName}}:{{.Values.config.soMonitoringPort}}', NULL, 'http://so-monitoring:30224', '', '', NULL, 'password', 'Y', 'Y', NULL, 'user', '', '', '', 1,'N','SO-Monitoring'); - -/* -Add SO Monitoring to Default apps -*/ -INSERT IGNORE INTO `fn_pers_user_app_sel` VALUES (10,1,10,'S'); - -/* -Add Contact information for SO Monitoring -*/ -INSERT IGNORE INTO `fn_app_contact_us` (app_id, contact_name, contact_email, url, active_yn, description) VALUES ( 10,"SO Team","so@lists.onap.org","https://wiki.onap.org/display/DW/Approved+Projects",NULL, "Service Orchestration (SO)."); - -/* -Additionally, some more update statments; these should be refactored to another SQL file in future releases -*/ - --- portal -update fn_app set auth_central = 'Y' , auth_namespace = 'org.onap.portal' where app_id = 1; --- portal-sdk -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key' where app_id = 2; --- SDC -update fn_app set app_username='sdc', app_password='j85yNhyIs7zKYbR1VlwEfNhS6b7Om4l0Gx5O8931sCI=', ueb_key='ueb_key' where app_id = 4; --- policy -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key_5', auth_central = 'Y' , auth_namespace = 'org.onap.policy' where app_id = 5; --- vid -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='2Re7Pvdkgw5aeAUD', auth_central = 'Y' , auth_namespace = 'org.onap.vid' where app_id = 6; --- aai sparky -update fn_app set app_username='aaiui', app_password='4LK69amiIFtuzcl6Gsv97Tt7MLhzo03aoOx7dTvdjKQ=', ueb_key='ueb_key_7' where app_id = 7; - --- Disabled Policy APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'Policy'; --- Disabled AAIUI APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'A&AI UI'; -/* -Replace spaces with underscores for role names to match AAF role names -*/ -UPDATE fn_role SET role_name= REPLACE(role_name, ' ', '_') WHERE active_yn= 'Y' AND role_id NOT IN (999); - - -/* -Onboard LF Acumos App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(11, 'LF Acumos Marketplace', 'images/cache/portal_907838932_26954.png', NULL, NULL, 'https://marketplace.acumos.org/#/home', NULL, NULL, '', '', NULL, '', 'Y', 'Y', NULL, '', '', '', '', 2,'N',NULL); - - --- add Acumos thumbnail -UPDATE`fn_app`SET`thumbnail`=0x89504E470D0A1A0A0000000D494844520000010D0000004408060000009B326018000000017352474200AECE1CE90000000467414D410000B18F0BFC6105000000097048597300000EC400000EC401952B0E1B000051D749444154785EED7D07605555D6F54AEFBDF742120221F41E7A930E0A2A36D451B18E7DFC6C63EF3ACE388EBD6043054511A448EFBD844012D27BEFBD27FF5EFBBD28202558E67766B2E0E625EFB673CB5E67ED7DF639C7A443803F289A9BDB50515E8F152BE2B07A6D124C4C4DE0E06085871F9A0467672B242695A0ADDD048BBF3884E69676B8B8D962D8207F0C1FE887A8084F24A69600268087AB9D2CB63031913FBAD18D6EFC2AFC7F278DC2FC2AC41F2F4479692D2CADCD919F5B0D5F7F27F48EF6C5FAB509D8B93B0BA56575B077B4468B10C3002185E8DEDE58BE2A1E0E7696080E71C5965DE9B07790F56D406D630B5AE592AEBA241A3985B5D8B43713013E8E1814ED8388101739A329C2839CD13FD2D350806E74A31B1784FF6FA471707726962CDE8F92E21A2585BBFE321EC34787E2F18757A3674F2F9C482E415646194C2DCC6061618EC6D636F8783BE1A69B87E3B3250771F0483EEEBF672C3E5A72081DA6663033073ACC4CE507D0C2A5AD1D174F8BC489CC0A1C8C2B8095ADA5F085095ADADB10E2EB84293121F074B3C194E1C1C61275A31BDDE80AFEADA4D12A522023A504AFBFB811B107F2E02C465B5BDB8C19F3FBE1BE4726EB36CDB2CDE5733ED46D69E8266626686BEB40B390C05F1F9D821DBB32F0FDDA440C1D120467576BECDA93250AC502EDE27A989ACBB67239266666FA49A2B9624E1F1C4E2844625AB91CCF02AD72ACB0205704F9D8E3D3D589880872C193B78E44DF080F3D7F37BAD18D7343AAE6DF1759A92538B8331DFF7A76039EB9F73B3C74F357488E2F4280B8080162BC93A6F746700F77E3D6404E6639AAAB1B6069694E6140E180CAAA465CBB70308A44956CDB960A7B714B7CBCEC91935D095321156E632A3FDB4918F20779D054AECC4294C7722198FE3D3D1112E084E6A656D9B203365666B2AD097C3DEC515AD18067DFDF8BC389C5D87630475C20F171BAD18D6E9C15664F088CBFFF66686D6EC3C615C7F1CE4B9B4425B4E3BD57B6E2C89E0CE48991F78CF6C6806181E83F34182EEE7628CCADC4FEDD194200E5B016C5B0757332FAF4F545427C21CCC5E8EBEA5B3054B69F32B5279E7AEA079889AB626F6F891E611E481443178610C63085528709DD13611A3287280F33F9BEADBD0369D9559838320825E50DA8AC6D52F78401D29CC26A580939719BB6D60EFCE3B343D8775C084D088984D28D6E74E3E7F85D94464D5503CA4BAA111EE585CDDFC5C3D1C91A73AE1E827B9F9A0EDF405714E455E3DB2507B0EEDB38A48B12A14BB272D951EC1215B172591CEA6B9A71DB9DA34519B4C04388E5A2A99178F491756AE02489800017716B1A505BD748DB97A55D7F76B4B70B6F1874877E25DB9A8B5C696C6EC5EAADE9983C32183616E2CAC8AACADA46833221C7D0B591ED6C6DCC91955F855B9EDA886D877265AB6E74A31BA7E3778D6964A79562C95BBBE0EBE78CF8B83C242714C1CCDC1466A220CCADCDD121864AA36D1745D0DED20107676BF419E087E5CB6231624C18EEB8670C7C7D9CF0FE7B7BF1CD3747E1EC6A8792D25ADC7DCF587CF6C5117525CCCDCD657F03515068B4CBF13AC465818919AF4E8F4D57A54A148BAD9D05AE9E1D8DE89EEE2815D5F1F83BBB61696E8656F15AE64EEC818D7BB3515A590F37671B0CE8E981876E18063B1B0BC3C574A31BDD50FCA64AA3AEA6D1F89B01813DDC917EA2108BFFB90D19C9C5B013B7C2D6C61216E286988A410B65A82230E96817B7C314B9D915080C71839D9D158E1ECA868DAD052CACCC30615218EAEB5A9095550E7F21A0CCCC72545634A83A686B6B13C26947B3587E93B8450DCDED528E6654563608C1D4A1A0A81AC5A58D701542F2F3B4C7F4B1A1880EF7C0787179E68C0FD37D064779E2C68BFBE09EAB07E0A2114118D4CB03E5D54D4817D7A91BDDE8C6A9F8554AA3BDAD1DA50535D8BF351947F765236A4000D62F3F8A1B1F9D2CC6EF8A7D5B528420CC912A0AE3D8A11C5494D5A343C8C2C2C2523EDBD101337527DACD4415886BD1D8D486E8817EDAA272FC7821264C8D40AFDEBED8B02E11B32FE98BB008778486BAE39147D6E0E0915CB8B8DA6A1CC4D28A8B1C43140609C743C8C1DBD3019E1E767075B245634B2BF28A6B909255851BE747CB3A43BCE2D977F748194CB070566F04FA38EA77052535C8C8AB4589B85835428225423E61FECE18290AC84DDCAC6E74E37F1DBF9834F2324A11BB3303C7850C18836453C7F6EFE331686C0F210A4B34D43521490C7FD2DC3E6896DA9F6E4987FC4B4F2A467A6AA9A80E2B3172C377A6421A8C2FB4B677C02FD0052E1EF6D8B92D0DD3E74623E158018E1D2FC082AB07E3EE7BC7EAB95B455D3CF6F8063838580A5998CB37A259E4FC248DBAFA6694890A2912822A1157A356DC121373463D4C34DFE396AB07C2C949CE2D0AE799F7F68942E9C0B0BEDE78EECE51F866630A36EDCF4190B783B6CA3434B6C2CFCB1EF72F1CACE7ED4637BAF10B5B4FF2C43D483A9287A37BB3509A5F8D82AC0AA4C717C1D1CD0EA3A6F4C2F6B509E839C01F1525B5C84B2F478F282FA42516A140DC8F7E4383316058104E08193436B4AA719A98507188D10B5A5BDBE01BE08ADCCC32F41F1C80C2C26A3489F13258397D666FDD265548870961B1B105881342C9C8AC405A7A2952A55C39B955281375C0E42E4BB6B4385AC1C6CA12E6421C57CE89C2CE43F958B53515FE5E0EC82DAA858D28A176718F2AC5A5F97455BC0665738A6A905520D75552872BA74522C4CF49CF7B5814934F77AB4A37FEC771C1A4919F5186D59F1DC4CAC507909F5E863A632B04839AA3A7F5C291BD99A8AD6A847FB02B6A6B9A502D069C23063D767A14F2B24BB16753AAB8297598B770089CDCAC5155DE246E40931CD9A038D844EBE5EB888A8A460487B9232DA5144D0D2D98785124BEFD260E8D8D2D78E7ED3DEABE4C9A180E5F712B68E8241636B1527958989B69BC8344441DD5D8D48A9821816810923A9258289E503B22A47CCDADEDC828A8C2A59323B0799F2826E12D531353398E09A2C40D9A363A04EF7E7D0CF58D4DC82DAE45627A051EFEE72E38DA5B2032C4CD7043FECD484F4F47515109CA2BCA51525A8ABABA7A383B1B48AD1BDD381D35627F6952515695D6A1BCA0064599557016F5CCC688AE808E48E29E6C146654222FA904D6F69617E69E241ECEC1130B3F1735D00E7B91F8CC99606442BC0538B9DAA0F7D020ECDD9484E6A6360C1917266AA11C456294B4DC167103E6888B117F24178971F9AA307A0D0C44786F4F0D5A1E3D948B8AF23A315C33F41DE48FCAAA06F48EF6C1DAD509983AB30FF2F32AB17D7B3A1A8520DE7C6B3EEEB9F73B58D95868BE464888AB2809536489CA484A2B81B98519CC2CCDE59CEDA86F6E4564B827860DF4C7D2D5F13057774688A4A51DF75E3F148FBDB113B72D18802FD69D1032E980BBB30D068B32AAAD6FC57E51316CAE8D94E3975736C2CED60243FAF860E59654FCF5E6E188E9EFA7C7FA77A1AABA1AB7DF719794A54AAED70C2D52B6007F3FBCFBF6BF8C5B74A31BA762C9939BF1F1131BE1225E80982A8ACA2BB1F8E87D081197BC2B6066F69F7ABC8AAAE27A5434D5E2910F1674BDF5A4A2B806FFBCFF3B357647210833062F850C5833D78981470F0B46767231DA9A8546C4F8E84EB0C6679E9585F61F31C3FA15C7101EE58D9E7D7D5401A4C4E763CDD77128CAADC678511293448D58DB98225D8E13262A836C16DDD7175555F538723817F6F656183E2C5093BF7AF7F28295A5190A0A2AB1735726E2C4DD610BC96C513BE13DDC515FD3027F512C7D7A0A610CF0C39ACD295A16930EBA432668686A41AAB84B93C4553A72A244FE6EC55021A9182197A32965D829E446E5C126597B21272F775BA464552253C86BEAA810DCF7CA367CBE26D17073FE4D484FCF40756DAD90A2B9DE7F0B21C6CAEA2AE4648B4AEA4637CE80836B93606B632DCA9BFDB3E49D811992F6753D07898A9DEADD5AD4B5B5ECCD0AB9CBA4B14C6AE48AA23A58DB592963197E98A059DC054F7F6771356C912A866B2E86CC55861805C39C063010DA2A35E3C6157188EAEF8F3031FA56A9ED2D8484524F1461D5D223C813A39C3AA72FAEB969246EBD672C6EBC7524C27B7A61DBA614588B8190A7AEB86AB09245CCA8505538E6723318AFA8AA6EC4814379DA2BD65A2EF2963F0DC67BAFCEC11BCFCF10C337415E41B5121E6326CCEFA04B532F6ECF8BF78DC590686F5C3A25920D381AEF2816F7C9C64A6E2F133CE41A790D24391B6B33511F4568927D678DED81E73ED8872FD69CD0EBFB7720AFA040DD370B7323695858A05648242D33D3B84537BA712AF2922A602D0A99F6672A2E899D8D0DF67C7B21EFAC89DA0DED598EA079555D228DF48442EC58190F4B1BB28C9108E4477B7B1B3AE40833AF1A88AFDED90D3B472B35311EB8435E6EF57CD4E2E4D4F2BB419D9862F597471035C01F3DA37C34186A618C43241ECFC3CA2F631112E6AAB5285B3B7CFD1C515FDB2C46DE8AFEB24F546F2F9E1DE3C6F5808BB315DAC405A172A08B66656586868666ACDB90AC01CE4E8C1911848B64FB61E24E0CECE38D3E111E1810E98587160DD7F5D7CEEA8D84F412EC1275C1E0A9A5B02955462778CD3C07FFD94859576E4D839790E4D491C178FE83FD2828A9356EF9FB8171A3B4D474BDA72C0BC1CF367906054226DDE8C6E9488BCD47637DB3D8DD4F66CEE127B2C49E7F0DBA441A6B3E3E8086DA4635640365C84B2BFF5B5B3A10D9CF1FC70FE648ED4F16922FD53581760E63A733F15594343AC42DE0BE06C633C1C695C7111CEE8E883EBE68A8695426B31515D3D6DA8A7D3B33F4BC3C46B528883113C25059D1881917472361733ABE7C6E2B02029C1112EA8626512F3421AA045E0CF7099675B572B30A8A6BD1246EC8079FC7E2D0D13CA46694A1B8B4566E648B2A0DF639518821E617D769CCC2688FA7C2F825B7A65C73B4B5C4C7AB12B4235C94B851EF7F7B4CD7FF9E686C6840764E8E14C55066067309733373A4A6A58B826267BC5F86D2B2721C8F4F405CDC71A4A4A619BF3D376A6AEB909B9B2F845588A2A2626D81EA0A2A2A2A919F5F8002594A4B4B8DDF1A617C1C67425171313233B3905F58A0EE6F5751585884CCAC6C3DE7AF459DA8BAE494541C8D3BA69F3535BFAEB2A895FD4F2425EBBD4FCFC8D0BCA7DF12E9B185686E6E517BEB7C5F482035E50D28C9ADD2BF7F09BA14089DEEFD28BC825C55DEB00F28E3027CC2ACFD46CDE885C3DB33505FDF045331AE0E133331E416F4ECE7AB599EF187F345013065DCF0A2B38584BBD34D6017F68BE6F5D5CE6C69C92586B13398013AAD0F32334A515C5CA3B189B03E5E181113825917F7C513B33E959B51808F33EE475C6201EEB97B259C5D6DF5980CC07AFB3A62D28470AC589D48FEC29851C158B12E093636426062F0ADCC3597B25709A98C1E1288BBAE1BA22FE15FFEBE0D85A5F5E2FF9D9A36CE817FFAF52439B5235148874A8460F9A9662E9D128135DB33B1E485E9FAFDEF85FCC2423CF0E0C342A2B55A067D09E47EF3A5F0F1F6C2DF5F7E11F60E17D61CBC69F3567CBBE23B949697CBF3AB5715C3B47C6727470C1F3E14575F7105ECECEC8C5B9F8AE5DFACC0DBEF7F0027074778C9F99F7FFA49383A3A18D79E1D7FFBFB6BD8BE63973C810EF4EAD51B2F3EFBA4710DB0E09AEBE4FEDBA0AAAA0A77DE7E0B468F1A854F967C8E6DDB7748F91A9418593E2B2B4B840405E3F65B6F86A7E7CF8734A8936B79F783C5883B7A4C5CD07AC37EF2AED9D8DA62C4D0A1B8FCF2F9728D5D6F714A494DC5871F7E82ACDC6C51B28D72CF9BA542B494725821223C0CB7DF7233BCBCBA3EA8D3B1F8447CF8F147282E2CD6B2F259D2D5B4B1B6469F3E5172BC9BE020F7F5D7E2ADBB5663CD5BFBE1E06A2395B229DAE59DA50D971556E3E9D50B31647A4FE39667477B5B076E897A0DD5ECEC595287073E9D7F6EA5D12086F5C683AB60EF6CA3014FC801CC483152DBD5D736A1F7E0409497D6A1A2A446D7EB2A13210659DF202E859DAD35CF4A7A817C6DD88635921C877EB954F5F8F6A3FD881A148879D70CC6F5778CC6B44BFA234708E3C4B17CD456376B3F921D9B92111AE18E385119C7B6666A6C65F9ABBBD02FDA0F11F27D436D0B5AEA5BD1A7B73762860663F98A63A8AD6B4249592DECACE56188E2618F59AA040B59AC84CCE86A4489D2197BF5122CF93E01D7CE8ED2DEAD4CE8D20B3905244983DAE8045B2FAAEB5AB0646D12E64D0A47A5361BFF7E28CC93DAB9A0486B0A7B0707C4C4C4FC68E4256565C8931AB8ABC8CECDC51D77DD8FBF3CF81032B2B2D0D8D8A8C7B1104320A83C967CB10CD366CEC5DE7DFBF4BBD3D1D6D62A06D480C6A646DDBFD3653A1F9A5B9AE51E1BF669967D4F46BEB859C5A228D84AF4C3C64D983BEF727CF0E1C7A248CA757B1A575353132A2BABB067FF7E4C9F7B095E7BFD0D253C82EB972DFF0613264FC3AA55DFCB7594EAF6BA9F187A9990E3E7CB9661C6EC8BF1DDCAD57AFFCE052A89E75F7A190BAFBF09878FC66AF336AFD35A8C9B9FBCFE3DFBF663EEA597E39DF73F947B72EE6115CA45653DFEE4B3B8F6FA3F21E944326AEAEAF438DA7F4ACA585D5383F51B3763F28C3958FAF572E35EBF0C3C5EC2CE6CD8DA5BA2BAAC01F31F18A53DB9F96ED3ED4FDCFDCB83E767250DD6BE2FDFFE35B689013AB8D8A9AA2028723AE4E4D622D1C3A27D70786BAA30B8A53E00C37BC3D609533437081B4B4DCCDD648D128D6E4349201BF2A218CD6564F6E0F6345C77C718CC5D301033E645235E5C89BABA66D4892196145523BABF1FA2A27CF1BDB02607E4616067C757F168916D66CC8C4265553D2688E17A78D861D5DA04348BE133586A21ECCA1A8DA9EB94CFDA7222A4C1E65F17276B0D74BA3AD9606F5C81E68AF41577C35D58992ECF8FC4219FBC2EC3B59D0AC63758CE6FB6A42221B5144542A0BF1732A59663262CEF2163436347C7E82789902F7757E5774949291EFEEB13E2D2A4A0478F1EF2C25AA8D151FE17899AA9A8A8D04BF7F4F080938B339E7AF605AC5DFB8361E79340C94BD7882F3C09B9ABE0B6BA8F2CA7E70A58496DCB1A9C2A80AE9289AC670DCE6746A2A91405C2C06F9BBC3BF6A280820202F0FDDA75F8EB134FE9FEFF7AE36DBCFFFE62F8F9F9C2D5D555BFA3A1733FD6E87C193DDCDDE12ECBEB6FBD850F167FACDB9C0D4F3EFBBCAA315F5F1FD8DBDB0B41CAFB5852823CA36BC5BF1D85C0BDBDBCF09518F94B7FFB8771CF9F83E57FE6F917B06BCF6EBDEF241E920CCB5626A4CF67C867EB2AF7DCC7CB1B1F8852FAE8E34F8D7B5F38CAF36B64A916F56E8EA6D666F41E1988B0413E1AE360AA42AA7800BF14674DEE7A6CC12738BE37138ECEB654F5F222D1E06485B046A348E27173FB885B928646A9E5D90C43FFA3C354B7926DE4B593173A24D203A9C70B35B6C17C0E53715D94DDE580A6F2A9BD5CE54F4BB988590B06E879EDEDAD11D4C31DC347F5C0D09860F4EAE38BEB6F1B898AAC2ABC7AC7D770F370D2F3652617C23BD415D32FEF2F72DD547CC20AEC3B98A301513359CF7270F42E929BB5FC5D5ED5242445E33741ADB852F32E8AC4BA9DE92AD7AA453579BAD9A1ACAA01BD42DD902B6E115B584C29E984A4BC3D6C95344BCAEB7FF6A233685A2EFB6517D6A0A2BA51D3CE1DD8C2F41BE3BD0F3E16D96EE84047497CF5950BB062E52A91CAAD526337C1C5D909C3447A9F0F575F7B83D468D56A04AC29298BC78C1E2D527F11E6CE9E8D5E3D7B222B3B5B6B452B3160BA905BB76F47FF7E7DD5383A91909888FD070EC34A5E7E1AF094C993D46D381F76EFD9A33106C2C3C35DF7EB045D114AFECEDA97464E92701302183A7408264F1C0FFFA000A914C4784BCB94F429E9A950D6AD5F8FB8E3C7F5BA181C6E1077C64B5C9751A34662C2D831F0F1F4929ABD560D94C4642DE7D9272AC1598C3452AEF974BC4A376AD72EB9AFCEF22EB4A84B327CC810DC74D30D5878CD9518346080BA3D1999D9FA4ED8885B159F9080D696560C1CD0DF78949FF0F853CFE2C8915838CBF1E8BEB7C812E8EF8FF9975C82C99326C0C7C70BE5E5157ADFA90458C69DBB760B89B8213232C27894AEE3C09A64ECFE3651EE9189DC232B2C78740C9A4419EFFB3E09B68E56EA098CB9AC0F6CD89DE31C904780EFDFDC87A686568D05C65CD2FBCC4A63E5077B706C4F269CC490280CC8017439A8325A9ADBE017ECA646999F5AA63108AD8D4D459AB5B33A66CD2E062B37CFD2D2C2A8500CF91C1DF2309581A4A6903DE49FB8398DCDB0B631C7210EC493558E171F5E8D6D1B92B07CC9413CF9C04A1CDE9F096F4F47ACF8FB6E5881B2507615B8B838E0D34737CB31A05DEF776C4F959ACA4C5F24BD5259CC854CB2B32B85D9DD34206A2A17C3264B27B9515413F57213581C5B7161761CCA41CF6057EC3E928FE9A3427558C056B600C975B3A4C6D39E11DCFF84943D59CE157BA2CCF8ED6F8BD8B8A35A3B35CB0B1C121CA4DF458485C97535C2567CF5838762F5BB73E1F32FBE446945191CC4B0688CBD7AF5C45BFF7A0D0FDC77B71A419FA8DE98356B063E7AFF5D5C77F55572EC668D05D0C0FEFEFABF37818CB5708B18EAEC9933F0F187EFE1A1BFDC87CB2F9D8F3B6FB9056FFFEB9F78F2AF8FC8B336536366DC8535353F196B6240F1E6458BB058AEE39E3BFF8CCB64BFBBEFFE3316BFF70E16CA7551E5B2F2721445B3F893CF548D9C8CC38763B165C74E5511748B78DCA79F7C0C4F3CF608468F1C81F0D0508C17227AF2B147657958899704C2ED7FD8B0116969E9C62319B07BEF3EECD8B1038E8E8E5A5E1AF1C30FDE8FB7DFF827165C360F53A74CC6AD52DE8F3E7817375EBF50EF3B89D343D4DE3FFEF5CBEE7B6A6C3E5A44713339CB23C409F62EB6088CF65295C177B9AEBC1129877E99DAF8196964261661E5FB7BE12CB52B0FAE8BFC508540F690DFC3C52D39BE3F1B162C00BF5362309000C17DF467A7C1A9111BBEE3EFBC2134C60631DAB09E5E183ABA075E796C2D567C7608DB37266947B7F0080F5C76CD50F1170DAC3DED96A1B2B761842DC2D2DA0C1585B558FBEE014D275F70C540D48BABC0726A49F8299BB68A9131C78365D77F42062E4EB6A8956D35182BFC45366EA86F456E41B52671ED921B3E634CA8BA68243D5E3F8F792E38D858E2B0DCBBDDE25A192FF637035D8616216183F2694770908134FAF58BD60021C939F53CAD1ED5D5D5D82852DB450C852F2E7B1A3FFDC4E3521B9F3980B7E0F24B317BC674A9F92AB416E5F11910FC77A15E8C75EA9429B8E3B65BF4BA4FC730511E7F11B2A30A2009D070F91E9697970B09DE8B8B67CF306E792AAEBAE2725CB56081920CF761D075CBB6EDC6B506ACDFB4194D727E3E75BA7F2C0349F54C60396EF8D3427DB7E82E928C491227E34371833A039B54770FFDDF5F306AE448FDFB74CC9F7709AEBEEA0A7D5EBC6E12E3CA95DF1BD7761D25A2CCD95193EEBC5F989BAA73EF1017B87839C87B2DA421AA9895FE2FC1CF9EC6966F8EA2B2B816E63434351543FC81710AB624048A31338DBC30B35C5B4714F45BC44E9434E4C119BE6BD702F36FD11946E313C333AE673F10BF00174D375FF7F551B4092BDAD859C0D6CE5A7BC86E589388267123464F88C0076FED127FCC1753FE3408B5150DBA3FCF66EF6C8DE57FDB857629CF94291122A17D3536A18511B074626BAA2AACD9314DCAC37F9C07A5B8ACE1470223B998C90D8E4D2A45FF087764E456A348D6C70CF4937D0DC1ADCECB3A1B781C2A8E8DFBB2B16C7D8AF1DBDF06FB0F1E9617DC102C6300B957642FFD3EB26784948BD7C001884C909A7E76E2484E4ED5788685100C9B3D6FBDF90695F6E7C22D37DF68787EB2588A81B1D5E3DF01D6DA2E4E8E5824AEC0B9307CD8505C24C4525D5D23F700A815831C346800468B4B722E5C76E9251ADBE0794888DB4E228D969666ECD9BB57BF671075A8B82431230CF93C67C3B42917A17764A46E4F1C893DAACF8AA8A8AC404E7E9E1CCF5ACB396EDC580C1057EF5CB85208DBD3C35355A5B5EC177BEC9851B1770D65F9D5C84928D1CA84EF65483F43CAB8930801375F074365292E555EF26F401AC53995D8BD3A01760E56CA467C59D4E4E95AC817EDE287450D0F46DCAE74B918CA1C59ABEE0037960388FCEFBCB48E16832B63705FD8A2C24D643B395693280CBF00678C98148E355F1E5212222B32BB9379086672A1ACE5A7CCEA836C21A74FDED98D155FC7E2EA47C7C3C9D356FD4682637514A557206177365C84087A84BAA15F5F1F7978CCDD907F72523605B734B7C3D5C95A1E244B67026747A9618469D9BB5624882CE2CA48F92AAA1B50585287617D3DB1F560166CAD2C101DE681EA9A6634C98D56123C07D8FFC55AAE978AE3B704E3077413784F2CAD2DD5FF2502038244C2BA6A6D6B67678B6DDBCF6ED46C31696D6F55A5E2E4ECA43182AE60CCA81891EF75EA021D3B9E60FCF6F705DD8551725EBEF4E743CC88611A07E1B36D1675306FEE6CE39A7363FEFCB9DA4A43E24C3C9164FC562A98C616E4E6E4684C81EFFFC8E1C38C6BCE8DBE7DFB295170BFC2C242D4D51B82E2F1F189F23E1B62798C7D4C1A3F5EBF3F1FA65E344594739D3E77E69A5455767D402806414BB2AB74747E33331304F531BC2F768ED608161785E66A25B6937A300F7555A7B6607505A79046E2A16CD456366820B1D33C9406C48829FDFB8F0D436E7209AAA5B6A7B8A0612AC882FC9555B63C3CB23E13A7DAA586B79207CF422A64A7C6BA4678FA3961A4B8141BBE3D267FB3ED9DC3FD71F42ED9460ED1D0206E4BA427060E0BC28A2F63E5C19A61C907FBE01AEC8411737AA159540A37ACAF6AC2A069E1881CE10F6F0F7B79099A7464AF1E216E22C1DB34D8CA547533291753CB99A52AF7105E6EF6C6B472C335D018D98E6D29E5D87D341F23FBFA098199E2EB8DC9880872C64DF3FB625A4C885E42A9DC9FCA9A46540AE9742E0C80F2B35C1E4095289DEADA66DDF6B7006B85DCDC3C7D199BA416EC21FE742748141E6E547E2D2AB5D3334EF5A54F4683B1F5802D0FCE22959953D315D8D9DBA3B2AA5ADDA092B262E3B7BF2F5AE47AFC7C7C8C7F9D1B0E0EF64268361A0321B1D9D9762D57C5D7DB5B2B1FD6C4AD6DAD3FAA847A1A3B5F0C45071C1CBB962FC15C1955D282063916DD498284AB55AFDC7B4B2B4B25ECAE80DB65E7E46AAB566E5EBEC656BA8A8C6345FADEF09C76A2C67D420D2D490CFA07F47297EFDBD55D29CCA84055E9A9F19CAEE014D2387120076D2DA22CA486A6FD134A00626C6CC2ECD93F0087B7A569932779829B74928AFE4572503211C2905A9929DE6C52D56C41594D77C3D5C31113664561FD37C7502B8646C6E30BCC6DD984C7E1726A2A1BB170D1485494D661FBA6243839D92991FC202ECBC2C727C88368D45A9F893637BD320DFB572763EDBBFB70D32DC3F1AD10D184096172BA0E1D538342889DD148029CBA31C0D711F945D55A460E2DCA1B687CD61ADBE0A03D8744294C1D1D8A8AAA0684FA3962402F4FCC1A1B8AC76E1E81CBA7F4C49FE646E3964BFBE3D605FD71BB2C775C3E00B75D219FF2FB7D0B0763D2B04075E57E0B544A0D939797A7A4C09A67D8905307040A09095183A1FF5B595125EE598D71CD69A00AD440B53C1F7DEAC68B3E0F2E131FFBEF2FBF80179E7B1AF7DF738FF1DBDF0F343C4A71ED72D005E8BB6ABC14EE4BF2EF0AD8818BEF00F7E1313A732CA8167E245429C78F15E379C0B3D21E0883ED18FEB21322D3E3C8319988D7D0D0B566F9A183066AC21E03B0F7DF7B175C5C9C8D6BCE8F9443B91AFBA38DDA89C20E8AFA296EE51DEAA2F796EF404B633B724E9418D7741DA7DCE18C8442F179E526C9C90C2F9618BFBC68EC68367EDE006CFEFAB0484133BDA97A33C528F9A9FE96BC94FCCAB4DD38C0AFB0378D941314313FA2A9A1195E3ECE9830A70F562E39887AA9ADA942E404421386F8079B4E1BEADA30626C0F0C15A37DFD858D1ADF3097F7C7CAD214CB3EDE0F73776B4CBB7E08F28A4B31E78E91F00A71C66B37ADC0A78F6D85B3BD15AEBD76089E7F710B6EBF6504EC6C2CF502B3322BE1EFEF84DADA464C1EDD039B77640A9919A2C86C5161F9DAE5A5E1C3B61355B3FB709E267A3197C3C5591EBA11EEAED6281195B5431ECA27E2C6BDF6E921FC4B94D0BBDFC4E1BDAFE2F0CED771787F791C5EFA683F46DFB014B9856731E00B405A7ABA1099210988FD6F4EF7D7478E1CAEE3A3B28992E9DC59523B9D11BC58230CAF73D7C0969A91E2D30F1D3CE8BCBEF8FF179C7631AC2CBA02D6C23F816F89F1067512C685A2B3963D0D43878B1BA8F6C23398E09D7717D3AA0C2BCF011F1F6FCC9C310D93274C5017D1DADAC6B8E6FC48DE97AFEA9D15B157D0A9CAA6FFC41EB07660ACC3545CB166C46D3CBB3A3D1B4E218D9A8A7AED1B42A864978BA50FECEEE388C6FA46D494378A9F644898D25B4072E00DE08DD687209FFC2F44D32E4CD72612894A8299A5B6F6D61833B31776AC494093B83A1C8D9C7E0B9B67D97B8E8F9B29E6249149337BA3A2BC16FB76A58B3CB4963398889C3247B1B814EBBF4BC0C26726C0C5CA5EB3DC7EF8E020EA2AC43510F5B0E38B384C9FDD0B9EEE36F8528C79EA9408D8D858A0B4B4162E0EC2B801CE48CF2A975A9BE794F24A99D98AC3739BC9C568DC465D1513EC8DCDC7A8FE7E282EAFC396FDD9D8139B87A7DEDEAB4DC4D1E1EE9837310C574FEF8D20512E0DE2073343D456AE89FD57DC8468189C5DB7FBD7F73E4DCFCC56A5C71AD0CFD7578E7F6A5A3765B185B156A6FB525C7AE13547377E3F589A5B62A8A843B642D9DBDB69B0FAF1279E4195B87CBF07182FCC4B2D85A58DB9DA59FF2961C6350670D6421B3B4B7D9F989290117FE1F1B71F49E318FB7F70701C3118150DF283E4502F7E7ACF8101C817FF877E9A2637899D71ADEE2E864716FD31206A0447CBAA979ABD4E5C0D5B29E4DCEB0663EDD2232893DA9783F7980AB1F03CCA32240F35D876788B22183BB5173EFCC70E752998F04D22A1BAB1950B7EFBD5ED70F575C23F0FDD0A3731D88F1FD9A8AD288E2EB678EF8175F076B3C784F111484E29C521510C93C7856917782670B9CA368C653053B4336783B114CDD9901BDCC84C5271919CED2DE1EFE380C76F1B816F37A6E858A22BB7A7A14CAEE5586A197E103258B72B03C9B9E5983F290C8F2E1A0E2F371B1D098C933BD12D627F1B8ED3F16B9199912EB7A75D9B49434282B46FC6C9707674D20C48CA6B76F6CB48EBEE26FF47C3BD77DEAEA3ABD58A7BC96CD783878F60D16D7760F3D66DC62D7E3B146555C87B5AAD71C9BAB6460C9BF9F3C4B5DE314168A869520249FB0599A14A1A1C1323764B0AE6DC3412EE62904DA20C18372053B9FB39C1C5D316F1FB45D25B5BA87A205DD0255135220BA55EBB100AFD282693B00DD83FC405F3E478D73F380193E6F5C35AA9F91B6A9A6121F29F2D2406CA919F240C2106D6FD9C64E9D607262235B110077667E81406EA73CA5A06312D2C99CCD3847FBDBA4DFC342FBC7AFD724346AAA5B996ADAAB4012BFEB60B77DF351A33847838C87071492DA6882AE817ED8D0517472345589803F070D8401DB9DCCD4E7BAA4E1BDF03B3274660EA9810CC1A178E948C723C2BCAA257A8AB8E48EEED6AAF2D23D65206A6423736B7214988F4F9F70FE05D714BA68E0CC575B3A330634C0FF879D8C9353139ECDC7D11CE07F695C8C894FB6E69A81998CCD5D93FA413EE1E1CA13D5454468B3E07E652B0A9AE1B7F1C383939E31FAFBC02773737CDBF60C09681D7871E7D1CB7FDF96E6CDBB14353D27F0B6CFF2A1EB626563ACBA1B7872B3C835C8C6B7EC2F8ABFBA1BAA9415B368BCA2A50947D6153752869EC5A158F0DAA02AAD137A607265F31087D4784E0CFAFCCC5D34BAFC5C7CF6D109FCA122DA21E480C6D523B33D049D7857641DF89C1155B276BB8793B20A8A71716DE3701BD06FA638818A0871051694115CCA590745D0C1E5E2759C83F2111CAF946510403460663A39487C4C5E09E12926CC920255B66786E9F00839F66EF62A8753BFD53DE845DDF26A043882BBCA79BEC63AA599DE3C78661DAE49E18C39EB25323316E6408A68CEB81417DBC1115E1A199A4F12925D8272EC88A0DC958FCCD511D7478EBC11C8C18E0077B212492048FC773D17DE1EF9CF1CD5B08A249CAF4CED7B1F876530AF28A6A30B09717668E09C56C39C7D603BFBC6310D38AF30B0AF53E30101A1814605C732AD8078339272497DCDC5C7476E0EAC61F0741F2EC9E79F2714446466A65400406F823332B0B2FBCF8373CFED433DA09EFD722767D0A6C1CACD44DE931E0CC2D503DFAF9E8085E740C6C618D436B928D6BBA06531AFE916DA93A18F0814D4958FEC6766C5F1187BFBC7D29864B6DEDE6ED88EB1E9A8251337B63D2E5FD31FD9AC1987DE308CCBB3D0657DC331E57DD370E57DF3B1E178B441F3F371AFD4785C027D8552CD9780601ED9DC4221667F446D86221EA41B7216130FFC00C834787A24654CA66210D8EDD41462365304F84CA8663657096B57997F65797E28697A68A41B175C770322B31EE9423F9D8B5E204E6CCED8394B412AC597B420C4EB95131697C1876EFCBC61E21841DFBB2B079473A62138A5020245121F780238939DA5BA9A2609EC6BA1D9998333E140919A5F017426C6939E9C204BC060B7353383958A34E48EF6872093E5D2DC425DFD7335FBFE997AB8DA2E222D4371A92D94808BE3EBEFAFBE90813A541523113D78A636ED49E9616DD8D3F06820203F0F2F3CFE09A2BAF906754ABFD4CA83A98C075FC783C9E78F2193CF4C863F2DC7FB95B5B985E29B6648E5679EF7A0CF8A9AFD0C9B077B5416098A776ECB411577CEFAA9FF254BA025376712F2F96DA5164F54221873B5EB9180327448832F829505353598F0431B24352936E5A1E8B95EFEFC1672F6FC63B7FFD1E6F3FB2066F3DFA3D168B1AF9F2F5ED58FDD1416C5F790C6F3EB606B13BD3B1EA9383CA1F0347F740A3B827DAB4C51A5B3844DD0E59C7C2F71D168CC131A178FDC91FB4C544C7E0602C83D4411746544643631BFEFC9771422C0DB8FDFA2FD061698A2B1E9B809A52C3602854004C8679FFFEB5B0B630C7FD778FC30DD70FC3B7DFC5232BBB02B97955F87C692C6EB87A304244B63166C24E6DA41473EDB569D0403C17E3289C802921AD0C6EAEB64A003D7C1DB5A5E24C20A9B1BF8A839D05AE9D19A54DC45BF7E768B098B3D177AAA10BC1A1234785C4D853B8035EEE1E67CD5D0809098615631DBC4FB26D6CEC61E39A6EFCD1C044B43F5DB7102BBF5A863933A76B9C83791DAC141C1C1CE499C7E28AABAFC5D7DF7E6BDCA3EB483A90AB7147BE031636E6E815136C5CF373840AA1508D305C50927981EE495D7513FC42DC44DA5B60F3D24358F2D206EC5C791C2F2D5AAA999F6545D5F8FCD5ADA82AAB456579BD32189B73EC1DADE1222A84B9EC74495CDC1DE0EC6E0B7B7151189D8D1A1288951FEDC7472F6D4296487F374F7B8C12D78064A18381C8C9D54151FB6CC7F4F9FD34B6B26D5D229C5D6CB58F080D98A0BDB536B76B7F940917F5C292C5FB112B3768B3A888E9370D82AB9FA3BA4E848DA395104411F6AF4A44CC9860EC946BF8E18713D8BD374B5B4E366F4FC357E27E70D4F1A913C230415C155F2F3BED7BD2748A2A10BA1235C4806E49590382FD9C747473954AA741B311C5250A0B70C68C3161A811D2B3B1B1E421B06A5B1A0E8992F97194B00BC0891349DA94DA2244E5EEE90157D79FFBA704BF0FF0F3D52659F6F2DCBE73AF714D37FEA8B0B5B7C39D77DC867FBCF222A64C9CA041F9BADA3A1DC888CB3BEF7D88F73E586CDCBA6BC8385A8016A9586963D6527985449F7DC4F188C1FEE0F0066C8D600C3233AEEB43009A16A4976205E711D99381FADA16F1D54596DB5AA238BF123F2C398C6FDEDC8509F3FAE928E3E652B36B2F52A9D1D5748C06CF58039B2E69DCFC9B391001611EC816A9CE74F3CA925A241DCD07C79E9872991C4B24BEE6BF930C5ADAE1EC668721A274BE786B37EC8470D80CABAC42188D8DA9E131E37BE8EF5F7E7C4088C5068BDFDE0D07773B4CB8B29F0E61C6425125B8393AE3B3C736C3D9DE1AC1E22A31C18C6AA1A8B01691E11E62D4CD58BF350D1BB7A6A2A2A20183FBF9E1C605FDD4FD282EA9D332F1CEB37C74AD9233CB94102A850C1CE56118D2D10DA0A1322374CAF0204C1C1E28F7A70385A50D3ADEE8D1A462047A39A24E941453E32F046C2D292D2B53D260AB88CF394686622DC5E658068959932526FE7B4749EFC62F07BBE5DF7BD79FF1F4937F4540803F8AC535A1EBCEE106BE5CF6B528E365C62DCF8FA28C4AD99759C4EDDAC7C4DEEDECB91D3D870B6998339E086DA02848AF30AE393F4CD9D468C3E1C96D3962B1D81D9BFCE540AC299D4439FC20EEC584CB07E877ED5299B79BB2B615A391B39930218A2422166E224C492A61EE7EAF210128C828456D65A3924CA618CF00914ABBD726E2D8DE6C5C7CE3102513C628CA8BAB71FF0BB3502424B5ED87C41FBBEE1A5A650C6569935ADCDDDD1E975E33043B36A760E2E4484C9DD95B9487A7D4C6459871CB5078048A1210E324380072F689526CF9E408EEBB6F9C1CC29038969C528C90401725167BB95E2A8BA30985F86A550296AF49C298C101B87FD17084FA3B69AC84528F6549CAAC90BF4D10E0E928FB59A94B43E2600CC3C1D61A2FDC3D0AE181AE3896528A2FD625238E5339C87AE66E84C8B102BDEDD575BA10A4A6A7A3B4A44449835DA5274E9E685C73660CECD74F5B6BF8C23112CFDE9EDDF8CF41BFE868BCFBD6BF70E7ED37EBF3A68BE1E4E488D7DF780B79F9EC397D6ED063483B92AFF6D82236D86F620FED437636F845B88B7DDBFF58D1A7C7757DE43753361FAA0F6F30553A0CCA09CCA560B771CE7770684312A245C63333D4A49D244183E6468CC08A93A1BBCABE721CFAF011D17E38B63F5B0393661626282BA84695D4E8034787E284D4C0DBBE4BC084397DE1E5EB8C88BE7E88ECE78B4DDFC5EBCC6B8651A0581E39243FE43CEC421F332E14B93995080876C34D778FC6D5370CC3ED42081C04C725D809E3456D340A01B25C6C6DE0540AABDF3B085771A3E6CC8E467E7E2D32B32A101AE26A28BB94952D3296B29D9D101573393E581A8BAF57272042B699383C5849C4C3C55AC8A34DF335C60FF597ED9AB58F4B656D232EBB28024FDF3142DC8F627C2E84C8D6160645D9A396E5E6F1796CED9A7F81E0C8E324015E8B95B5158EC6C6E29B15DFE1ABE5CB65F9E6A7E5EBE558F9FDF7481192E1B817DC9E2FC1B1F87F4FE7B26EFCB6983F6F9E0E88545D53AB158093A323967DF58D71EDD951535E8FC2CC4A7539F8EEB3C3DA9A77F6E3DB5777FD6C59F18F5DD8F6459C0805434F769A5BE6B1628D2D7605A694EE6CC6645E01FF913668549A192AFF5970BA199E81CEFA1D5B334C384AB06CA3C627309A3838E3975F30272A6A5077A1B3431893BBB67D770C03C6F68083938D065E37AF8843589437FEFCF4547DC9BFFBE4006CAD2DF5B86421CDCC947F3CBA9DB8043BB7A4E1A15B97E1D13BBFC1BD8B96E1BE9B97E1DE5B64B9F56B2CFBEC10AE7C688C468D7F6C491125C131128F6E4AC14D8B862127AF123672FCA3C70A10DDDB5BBBBCB3FC1A8A95FF9672B399365E55DB84EFB7A462F7E15C1416D761D4403FDC7EE5202109A6B39BE1D93B47A177A80B5EBD7F9CB82C4EF8DBC787B0666786AE77B4B352A2E03D6339388A57567E159284AC2E14F1274E68649D65A454FDECF3A5F8F0A34FF0F1A79FCBB2E4A7E5B3CFF1EEFB8BB166ED3A1DA487E7668A704ECED99B7A0DF7B56BE0F81094CC1C8794A35E75827EF34FE8FAF10C3D8BFFC030BED3178E9FEEC12F3D4227664C9B8A9E11E1A238E49D13A599939BA7CFE15C28CDAD464D5983D4E326B0167B8BDD9C8EC5FFB71E4B9EDAF2B3E5B327B6E08BA7B7EA40C10C3990688A33CBD54BE80A4CFB8882182FEE0787FFD2F13B694672E3A812B42399D47625F2E2536A734224E10CD9C4D8642ABFAB3010A3E7AD62EFD369570FD6002883A1541DDC486B4BA971F74B6D3D6C4298BEB4D515F5483E96877031E0379F5A8FFABA4698B269942FBD1C8BC76F2741C93FC6591A1B9BD022EE446B738B2A1E76086BD79EACED58F9751C6A65DBB9778D447589B12545F6E7B066FFBC7535AC85EC82839CB5DFCC8103391832C01FEDA21E38D298216E21D7A9D740F210E5214CCD818953B2CA7532A42FD724E05F0F4D4044B00BA2C33DB0F8E969784FCEF9D06BBB74B268E67970391924A5882017A4E5566A30F54271F8D0E11FC7BBD0B89180B930675B884E12E7D81709423AECFDFA230C8F563FB4AF5017F1F77FBE81F1932FC28CD997E0C65B6F377E2BC791676AA8643ACBD7B56372F01B92DAAF35ACDF0B1C6782D765FCEBA4DFCF0DDE03DE0B425EA71FC151DBA3070DC5C0A131183966220A8BBA1670E4A8E91CB087A4C18E881C55FD5C483B9CA7E3E0680F7516597EB0572B33B8CFB4A87D69A7B60E4D6FC84FAD40614AD75C5A534EA9D8536A53CE92C64E657A93E4803459551642240C0C166494212CDA57FB91E8CD64A1C4C6F57D919BC40998A3470623E14096DE3C164A098672C558B0A29C72588A02E0A44AECBA3E536A709E6FD7BA24383A1A460AE3B979D19DF79D464DF2E09804ACC5C98A3AC51C2F5C162A25E698ACFDEE38163C3C46FBA8D09D20AC44A1E4A596E1E0EA645C76697FA9B90DA33B151454C1DBC7116D1D0CC692FC486C72CD525E9687F79C44C5291939C749B9B8565FAEFD6956AAACBC2A1C4F2B83A7AB8DBA477AADA7A15594928F9B1D0A4AEBE1E57EE66900CE869CBC3C343637C9359A89E1B78203F0B05584CAC3D6EE0C8B7CCFF51CA087DB731C8ABCBC7C1DF4A5133A7E279FAB2C8CD2333FA72B607ABF7F4000BCBD3C11141068FC167075711165D962385E5D9D066EBB8292B252AD80FEA8B0B3B5F98904E5B1F25E7505159595FADE12EC02CF1EDB849B9B1B02FDFC34B9CBCBDB531B00BA829A9A6A2566123C9FA799E9B95DDC13FB7235B99121022EECDD7AB6854998EC326FEB64C81CA51D5557D6212FFDB47968CE02531BF1F9930FE5E222510864A956AD15A50611A3616D4EB140D97F58247BDFD1A172435928F9928662346E1A1E47F10A087347F2913C0D721AEF1FDF3A250F1EA7A1AE1935158D70F77680A7AF232E12435EFAF61EA989D9E1CB50FBE8D080DC4DFE19F238A42C727C133929D790C4F82DB7D36EEDB295958D39562C3B8A7629C3FCFB63502F464E704B5B7B2B2C7D7EBBFC06EDE9CA099D2BAB9B0C83F2880B61A89D0DE7309CCB703D1A9F91752437C635DC9D6DB1F5500E12D2CBB0725B1AAE9ADE4B5D1236959D0E9EAB455E0E1F4F079455D623A6DF9993B2CE866371C775AC07AA3C1AE5FDF7DE83575E7C0E2F3DFF0C5E7AEE0C8B7CFFEACB2FE0964537FDE80B9F3E423913C3CC85184944CC484C4AE95A16E0AE3D7BB5BF0BC7D3080BFB692C8FE0C040796686347F9E335194CDF9C0E9127440602A23C363FEC3C1C2C20A9E9E46E3960779E4E851E39A73233E21514D82DDDF3DDCDD748E152258C8822A966A9BC316242777EDBEEF3F74489526DF2F573717D8D99FBBE239B42E453B85D6D73463C49C9E7879C78D787ADDC2332ECF70F9E15A3CB7E13AB8F9396843839585250EAFEBDA708E1AD31832B9273E7F79132EBD638CD6B0CDF5AD70F5B64779A1B01D6B76B9199C6D7DFBB7719830BF9F14CC3031924E0B205293FD51DCBD9D34A6515956A76A8037DCC0D7F276F0006280249F435B5310DADB1757DC3E4AB7FDE1AB233ACC5F3BEFB8323C771283E501480CF2A9E792DF4822BACE786E1D514CD650113088FAE9E27DB8445C144F7145D83243D83A5822F9601E762D3D8E5973FBA81B51284AC3CBD35E4981C76302998EF921903368994972754DCD70177299240AAAB4BC16474F94E0AB0DC9F8E0DBE33AD6C68D17B3AB78C78F430276822D2775A2DA4843574EEB85C1515D9BA1BB13CCEA646DC7C5D1C911D17DFAC0C7DB1B01FEFE675D38D667AFC8087848CD462264EDCF7E2B9D888C0C878BA883565122EC3CF5F2DFFE6E5C73762CF972A98E5942894C793C6ECC58E31AC0D3CB4B0726E67C2224EF4F3EFB5CC7DB3C17962FFF56D50F0DE88F0A2AB211C386E9FD638C68CBB66D421C71C6B567C6E123B13878E8883677F399F5EDD3D730AF8F20383858542087D86B5512F8F093CFF4FB7361EBB6EDC8C9310CBCD4228A93CDB20C729F0B59E5C53A921DFB8BF51D1FAA9D39D94272B6C537CC4D47F38F1CEEAF95B99DA88E1DCBE28D473B37F4E9C5CCEE83E1D322717C6F16864CE9A9BD533DFC9CB52F8A8EAA25352F3B6BA51E2BD06EF29438ECD36130E676D9BE19BD0607203BA9C4207B69D86230AA066886ACB5655B1A24E550716E39C6CF89C6AA4F0FEAC44794AB6C62E5365AC3CB86DC9FBF185E2F2A1EFE4697C8401C9AF7A0E7D1CDE026AEC277CBE26029AA20E6E2DEDAFCCA6311ECCCB6EADDFDF076B1434C4C30F272AB35B8AA2D353C8CA194FCC5B08FFCA72209957B103328003FECC84474B82736EFCD86AB8395CE4EBF715F0E9232CB7199DC2F3B5B73ED1E4FF0A5610AFAD5337A6340A40716CE8ED2EFBB8A26794972F3F38CAE491B0244DA1A5A94CE0F66147A7B7B8942E460BB1D48CFCC32AEA13BE18A0913C669976C1A0695C3934F3F7B4A70B313725BB16ACD1A2CFB6A39DCDD5C512B12BD57644FF489328C4D4AB09BF784F163B4C2E0580F59D93978F99557751CD2D34137E69F6FBEA5031B53FEFFD13169FC58706A0682D7F7AF37DE4262D29953AD3945E3ABAFBDAEC4C967EF24CF60A2DC979371D51597EA044F2495E2A2623CF5CCF3670D6C1E3A74186FBCF39EDE5F1E8FCF72F6AC99C6B567C6A1F529B083B855627BECDF151875E6F4F133217C903F9A1B9B6126EF6C517DD73243F56D64C0E4FAC7A78B4F648EF0817E08EDE32335B4853695AA918A66679E013B9115E757232852E41B7D211AB9487C4E6F10DAC70B2744BE33804AA353A3979F6A8CD4FC84F049B3B822A3C5A0483A3BD7246AEE3B41C3D7FD68C4F283718AD2C21A21AE2A9415F1B31A25F2C9EF4AE5B3443F6BF5772EE525F528CAAFC23B6FEEC482BF8ED3B66A553902BA4BC9FBF270684D126EBB7524B2732B35DF42E76311E3523747889165E6B93938F1005107FD7B7963F9FA2444043AA3A8B45ED58521B80B384AB90F1C2FC49E6385B8E2A2489D74A95ECE49CE614D7AF3BCBEF076BFB069120906BDF272F3953438C176787898F62BE90A6CC42003FCFDF4771DA13C2DED94CE6BD72DBC5A0CDC4A0983C3E9D3F5B8FFA147F0F5B72B703C3E5E0D63EFFE0378FCA9A7F0C69BEFE8C3A06A69696952D7E774CC9E3153550E87C82361ED97DAF69E071EC4A79F7FAE83F3EE93637DB362251E78F8117CBB6215382CDF1F59657482031B0DECDF4FE3191C60989D0639C114A73B88157785F795E9DE1F7CF4311E7BF269255E2A810A515A13268CD75EC72763EEEC590811C541F562B8EF7BF0E0238F61FD864DEA4272F024BA776FBFF73E9E78F6397068463E738EC171F97C4E2179EE2107F7AF4A82BDB85574339C3DEC11D4BBEB534486F6F796774D14BBBCB876B042E2DEF377B0FC31BAC2D60E670F3B1CDF9D89DB5E9C85C29C4A94FE7D3B9C7D1CC0742B1AA08D9D15920E6461D0A4089C607F0A21010ED9B7F0FF26E1CBBF6F3510006B7F1ABE18A1928DC18AF41C4CD5EED9DF1F638434BE7E772F8AC54D7072B553A3A5356A70553E2BCBEA3145DC20E66F68CC408EA5E6AF0C64000FCB2011D54E87B8C83C678B7824765206067AC65CDE073BBE4A80935C135D2C96FFAB9777E3852DD763EEDC286CD8948298618158B5EE84A6BE931B9BDBDAB483D99431A1DA0D7FE58624396E07FACB43D8B23F476A7C294A1B0D89E733D1795FD3B22B7440E22BA6F7C2AA2DA93A695249533D9E7E771F5EB96FAC3C90930ADD05B069939319A9DF2FF017A5D155D0B50C0D09C6D6ED3BF4A54B4FCB503F9A815282B4F8CA0BCFE3C147FFAA64C2F12FCB4ACBF0DEFB1FEAF36259194761F77BC31C22ADA8961AF1BA85D760C8A0817A8C93C111B6FFF6D2F39877D9023508D68E35D5D558F2F952AD25F97C34A02C04E6E6EAA25DF6CDF89D5C1B9FD71F1574B9FFFAC843B8EA9AEB9408D8E4CD7773E9B2AFF0E5D265EAAE711C535E1B49850BA7B21C36648890EBCF4750E7F11E79E87E3CF0D05F75A63706ADE982BEFCEA6B4AA40C74733065B531516D266295548423860DC5CD37FDC97894B32337A9545C130B6DB0F00CB1D5F86257D163901FAC39F1BA54FED61652117E9F845EC3CFDC9BBA13A71CFD4F8F4F4573430B5EFFCB4A78FA3A63E845BDE013E40A8EE8C52EF17CA94A447D70EED4E09E5EDA8E1C18E6AE69E295A575F2B21903A07293A828749C42F993B33355091188A7838B6FE4E8CE2658FAC64E4D19570B145E2068884C170FEAE18E9BEE1B8F11E3C231606810068E08C26059060DE7673006CA2753CA675ED2176326C93603033072540F8C1DD703FDFAF9A9AB70FB5B73B4F5847116C256DC8A235B5370786D326EBE79848E72CE4994B4CBBD180C035896F2325C3CAD9794B705AB44F2F1A58F08729732B523471416F98B1DE9D83242854270C0E2CAAA267CFC5D3CC60D0D44BF084F6DBD49CFA9405ED1858FCE94949CA44A802F2967E3EA9CE3A4AB080A0C82995C07F7E7485E1C9CF664F4E9D31BAFFFE35584F508155553A1D7C8DACFD1D15E89C2C9C949FD71CE2BCA87F7D003F76BAFCCB381FD24967EFE29060E1820954283BE139DC7E1EC641CF897E0E0C4ECC2EFE9E1AE711212C8E92D092C73E7A227EF0AE4F1F1BD3979E90A0CDB1A9A1ECF94ADCB9C9CCF3EF950E31B3A676D63A31A3B1515631D8E0E8E62F076DAE18CD73C67F64CEDC17A36848785E395979E5352E7B8AF8493B383D894A912B5AD9D0D1CE4BE3536362801733472CE4B73BE314F8B332B509455295E82A9A64D746552E793C1F003E743610308BB7F7465CCD09F4DCB386862381C9C6DF08F3BBF86BDB32D82C5151934210279A925282FAE5557860F2A6C801FE2F76469A6684176B9CE2A4D52A1BB4217A2471F6FF41B1D8AFD9B9231784218068D0B130272C1BC453158F6F62E1CDB9BA9FDFE69B0ACE6492F7C88ECE13AF38A81E83B2C08775CF2117E5811872DDF27602397EF8ECB673C36AC3A8ECD3F9C407A4A99B82CB53828C77AEDF94D58BFE604D6CAFA43077230636EB4DED0E403F986D4747939A84AD20E17E0F2FB462129B51469E9A5F2825B2135BD0C2EE25E5C3CB3378E9D28466C62B1BC14E27F0A11DE75C3507CB93A0135F52DB85AD65F33BBB7908B09F61D37B44C903BF89ED637B6E28410D188BEDEE2AAD8E9C03DECE41626AECD8560DD0F1B919C9CA24AC1D9C901D75C75E505497A1AC096AD3BB409942ACD4B8C748048ED934163E6140116E616C8CDCB4392B825242AB68270F46B1B2B6B796927E1969B6ED0C980CE07D6B49CFC2730D05F95526A4AAA48EE2254881F5F2D06E2EDEDA3D348DEBAE8464D3ACBCACE52A3F4F5F5C6A489138C4701FEF1FA9BE2F636699F9B98E1237406F5F38123757FFEE5328DA5D0B59B3C792202859CCE07B66230598E6AAA54D4D69FAE5DA83187934125312A66A4AABD4271218E27C4A3DA38323B9545AD10EB6859BF48D4C0FC8BE71AF73A3BD84C1D337284E6D1C4279CD0B14FD8558144C1C1798AA51C51BD7A61D10D7FC282CBE7FF184C3D17328F1763C34747947C2A6A6B70E3F353E1117061EF5C567C1112F7E4AA1B4F5BE488FFD6C6B001F9FBF469194D84D5CF48E9B1DBD2F0F7BB966BFF11F6629D76ED10ED0D7760638ACE123FE1D2FED8B3F604068D0FC3AEB589689603D2FE59F871F3A371D363D35057D3888DCB8E222DBE0015A5F578E0F58BB5167FE8AA4F74EA0253710118EE603095E383729E14B61DBFB5F2267CF9F61E2C7D6F9761A01D3930678FD7CA87AA5DC8852D142DB2C8AF888CF2C5485119BB7666205B082025A5046F2CBE12FE2EB67868CA6234D5B66A6A2D512DE57870C9A570EAE781D7FFB90BFF77FF387CF5ED71F8FAD863F5C65454D43408C958EAA85FE346896F6AD681551BD3A4E6B4C6BA0F2F37C478044FBCB90719F99CEF94B107B906294B93288C1AD96FECA00084073AC1CED60A13879EFF053E19372CBA0545620094F7C3870FC5630F3D685CD375DC7EE73D2A7FD93B3632A227FEF1B7178D6BCE8C86FA46A4A4A7A901F9FAF8C0DB537C62C365FE22B0E6A4EA68E96885A39D83925EA702E8541252BF6B4571322132E8C7BFB9DEE0C29CBF10DC873912DC962D602ECE2E6A94E7836116F932254E96F7E4796ACF06AA8DDCFC7C550A6CAD62D099FBFF52F058B1B171AA5438E136E780E5B4141782556FECC5470F6F04C7E26516F6E2CCFBE0EED7B569173A11B72D1D778D7B073E5E2E6A6B8F7D770522871B72729896704BD46B2A0A9841FAC0A7F34F754F4E46FFB13DF0F69EBBB1E899E9DA99EDBD27D662DB37C7102E0A234A5440A330CF9839D1422AF57072B5C1D46B8660D153D3F0ECD26B953008469EE3F766A9B1370A8130857C87D4DA745538A319BF37280C060B20C4528B990B06A97FC5161AAA1AB22D0740E55817ECD7C10995D89AC098839DF87136E2129D905AFF9DD7B68BEF698911A26EA832D67E2F4410E18E81E2BE90213BC1710656BF770091216EF8DBCBD31112EC8207EE198D5DFBB2919EC597C84C034A541A21FE8E58BF3503D1911E1831D00FA5E2A6119C28DADCC204413E8EF0F37480AF879D2C0E08F37746FF9E9EC82BAE4190AF1396AE4D425965D7679267F43B39254D836A7C910644471BD75C18428383757F4EE0CC0C440654CF051B5B6BF4955A9DC13F2671FD1AC22068F0F6E296B8383AFFCCF855F19144847C4F5750868184E4F9CA33EF0A6110DC8706C719D3BC3C3CBB441804EF8DAF2820EED715C220E89670C0A3C103076A00F8D71006E1EFEB8B99D3A762DEC5737494F90B250C2223AE5087C264BF91F021BEDA747AA17074B38713BB2C48E5D7D2D4725E17E59CBA973D5D99F4F5D4B2EBF1D28A1B31EBC661FAA07B0F0DC645570DC2FCDB6370F1AD3178EEABEB71ED4313B50B7D70AF9F1E80A38B9DF84966F861E9617171C2A550EDD8FC350796F9A9E661B32C0BC1D803DD8839A268BEFE600F7233C475B0B712792BFE3D7D8076D624861A9D39186CC9A9AD6D1235D3A4DFB393D8813D9938202495256EC7A25B47E9F1E7FFDF281D4A908C4930269172300F8736A4C0CEE6A71B3C636A4FCC99162935A3A5D4D0ED080970D159E22F9F1585406F27A46654E0FE97B6E0B3550978EBCB58AC1676DE7E384F3BA9ED389287DD4773B12B2E1FFB8F152036A90471C9A5F2029B8ADBD2B50C4022252D55DC0AC358911C6BB577EFDEFAFB85222666B8DC9B7A35BEA2C2229414772DD3AF1BFF59A8AF6E425E5299E645913442FB79E37CB3C09F092E5E7608EAE5A1EF1C6D2B33FEDC93629D93343AE1EC6E873E234230FBA691B8ED85999875C3308408397034E390DE3EB0170571368C9D172D4AC416972C1A81551F1F405672B148294B250B064059E3B4494DC85C8F85F71A92872A8A6A1110EA2A6ECA0D98BB70B02A0506CD982549C5C13960FB0E0EC00431F28BE6F4C1745966CDED8B05B2ED1C21AE71137B225B4887F00B77C7E8CB7A8B7433D4F89C82817D58963D6798BFB3BAB6116BD625E1D57FEE444E5E35268FEFA1C1D01993C2E0266A67BD90C3CE83D9AA2EB265FDD6FDD93A0607550E7BB072FE562E36425A9CA18D04E6CF56A89452F878DAC2435CA4AE62CBB6ADDAA24137C1D3D3FD825A4E4EC6B061C3447E372AC153B227249E3F5BB31BFF7928C9AD448E9006BB68507987F6BFB0CCE34EB0853128DA5BFB74B11B46C69142B1B9B3770BE81269FC1A440D0EC45D2FCFD63E221F3EB74147F832382572724E712656C65EB67E212E9879C560BCFDEC7A24C6E662F69583E1244AE5BABBC6E2D29B8663F61503B140486BFAFCFE8888F2D666BCA2FC6A51156548901A7EFB96547CF3E511BCFFE60E7C2A4AE5D9277EC0F2A547B41975C123E361290A824C4AD0F5D9BF2B055922ED92D2CA5052560B1B295F5656053E5A7204ABD69F406D5D0BD66E4943430365BE19D88A65239F1C48884153114BAA9C7E822172CF5884AFA73D0AC4D5AAAC6ED6D695AE62F79E7D7A5F2AABAA743E13ED2FF20B400DC77E22F4BD793C1EB71BFF7D284CAB40B6284956AA8CED0544BA19D75C3882A23C34219236727C5B262A0A8CC96752B973C8090ED5590F4E37D9F6F3D693DF1A4C180B0CF7C0AAC5FB10BB3313B6F686082DC9828954FCC75EA093850CFA8F0846FCFE1CF885BA232CCA47833BE525B5F8E2AD5DD8BF231DC70E6423510822536AF182BC4A9496D4E9D48DB5E2A270B83F364F31026C6B6FA9C65227EE4B4E76A52A92C2D47224EDCF85B5A8232D57BB39D28F16E0DA07C7A1548EC1418539DD818383B5BA27CC300D0A70425246A5AA9B0E792A2C76A3105C9F080FA4E6541A5C7FFAE77A44DEDF0E6D8E1D35C05FE74519D1D71723BBC8FE6D6DAD484E4D838F97B712C6C8E1C3D1BB57A471ED85A34194065B0342434234159D6DFEDDF8EF425662319A4A9B7552E7F0813E187559F42F724F08CEED5A5DDA28C4E3AE794E232FE90D07171B55AAD90986A131BCBC5D307466CFB3B79EFC96600EC7D3377C89A2DC0A5508AA6F8430A83728E739C8CE927DF760DBEA04BCF9F85A38893B34EB1A511AE2D65455D463D907FBB4B9D4D482E6C95610A9E1A5AA67C169E034544B210BED15C86F59E38B298F9ED0035B36A6E0ED8FAE40656A251E9EF6B1F67F610B0F150107567D76ED4258063961F386147CF1F55138898A68956344F5F602F3483834E0816385B0B7B7469B1CB55DC863E2C820EC3C92A70462222E49A75C63E7B6405F7B784AB9B71DCAC3E72F4C47B04FD726FCE56360993A633DA707092F143C5EE7A3E527038CDDF8EFC28F3D95B5F2950F63CBDE2F058F6750CBF2BEC87BDD093D0FDF4B798FD838F1EBDECC2E62C3B223C8482CD20B6312155501A3B42DCDED282FAAC1C5370CD3C140367E15ABBE59CCE49E58BFFC285EBC6F05F66E4EC5A8493DC5CFE70D22D1C885D1A0C41E1807F1F275C4CC79FDF5780C9872E6341A092F8C199BCC5578E78DDDE8393200E31744A34AD409E516C7FE681417E4A3BF6E42A89F13A2FA78C2C3C3FEC7D1C639F6C6A61D19888AF094DADF5EDBD3CDE4A88C379495D523C0DB41632C1A9B11F0A3555899FD55E2D3CA71FDECA82E1306C18745C32659FC5AC22078BCCE637513C67F27D480B90859FC5AC220782C1EE764C2203ACFC14FFD5B7FFE8EA8A96CC09EB509DA2C6BEB680D3B59989D692B6E000730F60974C1823B4661EBCAE3B0B435C7DC1B86EBD080A585B5F0F67541765A29EC1DADE0EA61A7FE166F0D0DB4AABC1E4E2EB678F0B999B86AD17078783A68162A099142C44248884DB7BC4066BBB1DFC8C5F7C6207CB02F027A792030CA1311F23BB35D930FE461C4902084063133AECD7002F9EF2EF26CC50F27306A70A02A9D36F9C76629E663B0795789DEB0A91295159B6B65F71E4242375CFCCB9A4BBBD18D3F3A7E77F784929B4921741FD4BA3A21C6CD7C0B0ECBC7AEB90B635E5337E5E9C557E2E8DE4C6C59755C13B8B80BE310532F1D80CFDFDA21BF5B81B3BF47447BE3FE6767C237C030ACFFD60D27F0FCC3E2DAE808CCA67076B3D51696B5ABE2316E5284C6396EBF734CA785EB3E945D9462ECF64F6CDF9581C79ED90807676B0C88F6436A56B9E6668C1E1E846A295BACA8252689798BF288E8E18EF5BB3285F82C741EDB7A59EFED618BD9637BE09249E1BF685CD06E74E33F01BF7B20943299C119B69E309ED0B950E6337FE3C4913C6C13C33EBA3B13B73C3E056F3FB55E8D7AFCAC28241CCE57E5C04E710D421481E19EA8AE6EC00DF78EC3ED8F4CD164B14E048B11B3D973F7D634915880978F231C9DAC909F5785BEFDFCF0DD8A63484F2FC3F163F9D8BD371B3BC4E05DDD6DB176433212840CBE5F93A0EE0C07182E29AD87AFAF834E1ACDF94C720B6B103324007945B53A7646496523268F0CC6A1F822ED6CC48C42073B2BDC77ED604C1F15AA64D88D6EFCB7E277278DB38135B6A3932DAA2B840C22DC5122C6DD50D7826431EAC2EC0A9D2680533CC6EEC9D06DD971EEF2452330EB8A811830FCCC3347F51672A03F76787F964EB844C5502C6E4E5884078EC515A020B74A08A204A9C9C538129BAF81CED8238699F2BF5F73029C152D44CE939E5E0E5F219DDAFA66B0031D83ADB50DAD1831D81FC7924A8448DA1133D01F87138AC0FE369CCB756A4C302E9D72619D85BAD18DFF44FC5B5A4FBA024E0F59905589F88359A8969A9CB3D68F9C14090F76CDB7B280A30BBB10772DA0979D518655DFC4A9CAA0C2E1644699A2323A5B6E74DC53B96C27671B8C1063DF2BCA63842887152BE371E55503F0E55771888EF64171591D0AC5B5E25CB0354228532786EBDF7B8FE663DCC8203470DE9494523409A9DCB37030E6895BD28D6EFCB7E30F431ABF0798F895975B89679F58077B7191D84D8AF1070D6C88BAE04CF0D3A6478AEA2880BBB82A2666667070B0425E418DBA50B50DCDC82FAED5EEC36DE22771E0A0CBE74663A5B834754D2DB8E692BE78E38B23B011B7E6A367A722F0025A4BBAD18DFF54FC573BDF41A16EDA52C33142080EA843BED01616015B44E2138A316448000E1ECE852B9359841882039D35B5DD446E0F9B54C9AB1C5E902D27FB8FE422667080E668B03F0B6769EB27EE55376174E37F05FFF511BBFE03FCD1B3B70FAAAA0C23940B0B0871086BC887B9A50952928AB5F9D4CFD719078438CCCCCDD0BB1747A366A28B6104746D02975F2C2C4C90262E948D85B99084233272AA7454F3FBAF3BFF9813DDE8C67F0BFE27C2FCCFFE6D16BC4509D45437EB781E1C48954DC166F28FB922DFAD3A8EB9B3A390935581FCC22A9DCB64D8C0001D7884DD63D4ADE9304C914802D9B8271DE3449D5454D5E38DC726C3CFFBC2C62FE84637FE93F15F1DD338194585D5D8BB2B13E9E9A548882FD2690C6AEB5B60EF60ADAEC6C409E1422C0E183A2C10FEBE4E282CAEC57D0FAF41AD900CBBECB3058789951DF283718E6103FDF1C89F4769E7B46E74E37F09FF33A4D1095E6E4D75132ACAEB70F46801F6EFCF425A6639FCFC9DF1E273D3D53D216A6A9B448124205BC885638032C9ABACAA11CD6D1D183AC00F57CF8B4678B0AB6EDB8D6EFCEF00F87F9ED91B4B4AFAE0D90000000049454E44AE426082 WHERE `app_id`='11' and `app_name` = 'LF Acumos Marketplace'; diff --git a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt b/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml b/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml deleted file mode 100644 index eaa0cfb259..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mariadb - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/mariadb/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml deleted file mode 100644 index 1d0d5bc5e5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ['sh', '-c', 'chmod -R 777 /var/lib/mysql'] - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_HOST - value: "{{ include "common.servicename" . }}" - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-user - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-password - - name: PORTAL_DB_TABLES - value: {{ .Values.config.backend_portal_tables }} - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/docker-entrypoint.sh - subPath: docker-entrypoint.sh - name: docker-entry - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{- if .Values.persistence.enabled }} - - name: mariadb-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: localtime - hostPath: - path: /etc/localtime - - name: docker-entry - configMap: - name: {{ include "common.fullname" . }}-mariadb - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-mariadb/templates/job.yaml b/kubernetes/portal/components/portal-mariadb/templates/job.yaml deleted file mode 100644 index 5a66bb96bd..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/job.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PASS - valueFrom: - secretKeyRef: {name: {{ include "common.fullname" . }}, key: db-root-password} - - name: SQL_SRC_DIR - value: {{ .Values.config.sqlSourceDirectory }} - - name: {{ include "common.name" . }}-oom-update-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PORT - value: "{{ .Values.service.internalPort }}" - - name: DB_PASS - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }} - key: db-root-password - command: - - /bin/sh - - -x - - -c - - "mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT < /tmp/oom_updates.sql" - volumeMounts: - - name: portal-mariadb-sql - mountPath: /tmp/oom_updates.sql - subPath: oom_updates.sql - volumes: - - name: portal-mariadb-sql - configMap: - name: {{ include "common.fullname" . }}-mariadb - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml b/kubernetes/portal/components/portal-mariadb/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml b/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml deleted file mode 100644 index c0800e0275..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} -stringData: - backend-db-user: {{ .Values.config.backendDbUser }} - backend-db-password: {{ .Values.config.backendDbPassword }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/service.yaml b/kubernetes/portal/components/portal-mariadb/templates/service.yaml deleted file mode 100644 index 7b9ef91900..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml deleted file mode 100644 index a7fdb54d78..0000000000 --- a/kubernetes/portal/components/portal-mariadb/values.yaml +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - -# application image -image: onap/portal-db:3.4.1 -pullPolicy: Always -mariadbInitImage: oomk8s/mariadb-client-init:3.0.0 - -# application configuration -config: - mariadbUser: root - mariadbRootPassword: Aa123456 - backendDbUser: portal - backendDbPassword: portal - #backend_portal_tables is a comma delimited string listing back-end tables - #that backendDbUser needs access to, such as to portal and ecomp_sdk tables - backend_portal_tables: portal,ecomp_sdk - #The directory where sql files are found in the projects gerrit repo. - sqlSourceDirectory: portal/deliveries - # sdc frontend assignment for port 9443 - sdcFePort: "30207" - # application's front end hostname. Must be resolvable on the client side environment - sdcFeHostName: "sdc.api.fe.simpledemo.onap.org" - # policy pap ui assignment for port 8443 - papPort: "30219" - # application's front end hostname. Must be resolvable on the client side environment - papHostName: "policy.api.simpledemo.onap.org" - # vid ui assignment for port 8443 - vidPort: "30200" - # application's front end hostname. Must be resolvable on the client side environment - vidHostName: "vid.api.simpledemo.onap.org" - # aai sparky ui assignment for port 8080 - aaiSparkyPort: "30220" - # application's front end hostname. Must be resolvable on the client side environment - aaiSparkyHostName: "aai.ui.simpledemo.onap.org" - # cli ui assignment for port 8080 - cliPort: "30260" - # application's front end hostname. Must be resolvable on the client side environment - cliHostName: "cli.api.simpledemo.onap.org" - # portal sdk (demo app) ui assignment for port 8990 - portalSdkPort: "30212" - # application's front end hostname. Must be resolvable on the client side environment - portalSdkHostName: "portal-sdk.simpledemo.onap.org" - # dmaap bus controller ui assignment for port ? - dmaapBcPort: "" # TODO: populate with - # application's front end hostname. Must be resolvable on the client side environment - dmaapBcHostName: "dmaap-bc.simpledemo.onap.org" - # msb IAG ui assignment for port 80 - msbPort: "30283" - # application's front end hostname. Must be resolvable on the client side environment - msbHostName: "msb.api.simpledemo.onap.org" - # SO Monitoring assignment for port 30224 - soMonitoringPort: "30224" - # application's front end hostname. Must be resolvable on the client side environment - soMonitoringHostName: "so-monitoring" - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 450 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 450 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/mariadb/data - -service: - type: ClusterIP - name: portal-db - portName: portal-db - externalPort: 3306 - internalPort: 3306 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 460m - memory: 175Mi - requests: - cpu: 10m - memory: 100Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 800m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-db - roles: - - read diff --git a/kubernetes/portal/components/portal-sdk/.helmignore b/kubernetes/portal/components/portal-sdk/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-sdk/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-sdk/Chart.yaml b/kubernetes/portal/components/portal-sdk/Chart.yaml deleted file mode 100644 index 7f3ff1d8b5..0000000000 --- a/kubernetes/portal/components/portal-sdk/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal software development kit -name: portal-sdk -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties deleted file mode 100644 index 895de10a4f..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# login settings -login_method_backdoor = backdoor -login_method_attribute_name = login_method - -# These properties will be removed after SingleSignOnController is cleaned -authentication_mechanism = BOTH -login_method_csp = csp -login_method_web_junction = web_junction - -#login message -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# User Session settings -user_attribute_name = user -roles_attribute_name = roles -role_function_list = role_function_list -role_functions_attribute_name = role_functions - -# Import-user LDAP settings -post_initial_context_factory = com.sun.jndi.ldap.LdapCtxFactory -post_provider_url = ldap://ldap.mycompany.com:389 -post_security_principal = ou=people,o=mycompany,c=us -post_max_result_size = 499 - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# Role settings -sys_admin_role_id = 1 diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties deleted file mode 100644 index a5160457ec..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -### -# ============LICENSE_START========================================== -# ONAP Portal SDK -# =================================================================== -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# =================================================================== -# -# Unless otherwise specified, all software contained herein is licensed -# under the Apache License, Version 2.0 (the “License”); -# you may not use this software except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Unless otherwise specified, all documentation contained herein is licensed -# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -# you may not use this documentation except in compliance with the License. -# You may obtain a copy of the License at -# -# https://creativecommons.org/licenses/by/4.0/ -# -# Unless required by applicable law or agreed to in writing, documentation -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================ -# -# -### -*/}} - -# Properties read by the ECOMP Framework library (epsdk-fw) -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml deleted file mode 100644 index 2c2cd00f1c..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml +++ /dev/null @@ -1,225 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${defaultLoggerPattern} - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${applicationLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${auditLoggerPattern} - - - - 256 - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${metricsLoggerPattern} - - - - 256 - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${errorLoggerPattern} - - - - 256 - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${defaultLoggerPattern} - - - - 256 - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties deleted file mode 100644 index 3e215647e5..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portalsdk -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false - -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties deleted file mode 100755 index 4d26240be4..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Framework library, ecompFW.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -#Use REST API instead of UEB to fetch the functional menu data -use_rest_for_functional_menu=true - -########################################################################## -# The following properties MUST be changed by partner applications. -########################################################################## - -# Name of java class that implements the OnBoardingApiService interface. -# epsdk 1.3 uses org.onap prefix -portal.api.impl.class = org.onap.portalapp.service.OnBoardingApiServiceImpl - -# CSP Global Log On for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API - -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -# Applications do not need to run a UEB listener in 1610. -ueb_listeners_enable = false - -# UEB Configuration -ueb_url_list = message-router -# ECOMP Portal listens on this UEB topic -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX -# Replace these 3 default values with the ones for your specific App, -# as shown on the on-boarding page on the ECOMP Portal web application. -ueb_app_key = jQd4a9zVNi4ePyBp -ueb_app_secret = P0HpqEBhKJvxjRYdw2sCTUll -ueb_app_mailbox_name = ECOMP-PORTAL-OUTBOX-APP1 -# Consumer group name for UEB topic. -# Use the special tag '{UUID}' to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -decryption_key = AGLDdG4D04BKm2IxIWEr8o== diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties deleted file mode 100755 index 3873da13a9..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Core library, ecompSDK-core.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -application_user_id = 30000 -post_default_role_id = 16 -clustered = true - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -# Cache config file is needed on the classpath -cache_config_file_path = /WEB-INF/classes/cache.ccf -cache_switch = 199 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - -########################################################################## -# The following properties MAY require changes by partner applications. -########################################################################## - -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -# SQL statements are logged to stdout -hb.show_sql = true -hb.idle_connection_test_period = 3600 - -app_display_name = Demo App -files_path = /tmp - -#element map files -element_map_file_path = /tmp -element_map_icon_path = app/fusionapp/icons/ - -#Cron Schedules -log_cron = 0 0/1 * * * ?; -mylogins_feed_cron = 0 0/60 * * * ?; -#sessiontimeout_feed_cron = 0 * * * * ? * -my_login_feed_output_dir = /tmp/MyLogins - -# Link shown in Help menu -contact_us_link = https://todo_contact_us_link.com - -# An Unique 128-bit value defined to identify a specific version -# of an application deployed on a specific virtual machine. -# This value must be generated and updated by the application -# which is using the ECOMP SDK at the time of its deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid=8da691c9-987d-43ed-a358-00ac2f35685d - -# R Cloud feature - configure this property to enable notebook feature - for more details on RCloud please visit https://rcloud.social/index.html -guard_notebook_url= - -#authenticate user server -#TODO: what is this URL supposed to be pointing to? Nothing in portal opens 8383 -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-sdk/resources/server/server.xml b/kubernetes/portal/components/portal-sdk/resources/server/server.xml deleted file mode 100644 index 1cea5ab8f8..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/server/server.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt b/kubernetes/portal/components/portal-sdk/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml b/kubernetes/portal/components/portal-sdk/templates/configmap.yaml deleted file mode 100644 index 30d2009c3e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportalsdk - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml deleted file mode 100644 index 66e80651c3..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml +++ /dev/null @@ -1,183 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portalsdk-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportalsdk-scrubbed - - mountPath: /config - name: properties-onapportalsdk -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: portal-tomcat-logs - mountPath: "{{ .Values.global.env.tomcatDir }}/logs" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportalsdk - emptyDir: - medium: Memory - - name: properties-onapportalsdk-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportalsdk - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} -{{ include "common.certInitializer.volumes" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml b/kubernetes/portal/components/portal-sdk/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml b/kubernetes/portal/components/portal-sdk/templates/secrets.yaml deleted file mode 100644 index 06a17b4009..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/service.yaml b/kubernetes/portal/components/portal-sdk/templates/service.yaml deleted file mode 100644 index 56a65227a1..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml deleted file mode 100644 index 1bc6b44852..0000000000 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - persistence: {} - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-sdk:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o== - - -#AAF local config -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-sdk-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: portal-sdk - portName: portal-sdk - internalPort: 8443 - externalPort: 8443 - nodePort: 12 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal-sdk-api - name: "portal-sdk" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 600m - memory: 1.6Gi - requests: - cpu: 10m - memory: 1.3Gi - large: - limits: - cpu: 8 - memory: 20Gi - requests: - cpu: 4 - memory: 10Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-sdk - roles: - - read diff --git a/kubernetes/portal/components/portal-widget/.helmignore b/kubernetes/portal/components/portal-widget/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-widget/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-widget/Chart.yaml b/kubernetes/portal/components/portal-widget/Chart.yaml deleted file mode 100644 index b9adb0ca5c..0000000000 --- a/kubernetes/portal/components/portal-widget/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal widgets micro service application -name: portal-widget -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties deleted file mode 100644 index f5a900e8ce..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties +++ /dev/null @@ -1,32 +0,0 @@ -## General App Properties -server.contextPath=/widget -server.port=8082 -spring.http.multipart.max-file-size=128MB -spring.http.multipart.max-request-size=128MB -microservice.widget.location=/tmp - -## App DB Properties -spring.datasource.url=jdbc:mysql://portal-db:3306/portal -spring.datasource.username=${PORTAL_DB_USER} -spring.datasource.password=${PORTAL_DB_PASSWORD} -spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect -spring.database.driver.classname=org.mariadb.jdbc.Driver -spring.jpa.show-sql=false -spring.jpa.properties.hibernate.format_sql=false - -## Basic Authentication Properties -security.user.name=${WIDGET_USER} -security.user.password=${WIDGET_PASSWORD} - -initialization.default.widgets=true -initialization.widgetData.url=http://portal-app:{{.Values.global.portalPort}}/ONAPPORTAL/commonWidgets - -## Account Basic Authentication Properties -account.user.name=${ACC_USER} -account.user.password=${ACC_PASSWORD} - -## Certificate Properties -#server.ssl.key-store=classpath:widget-keystore.p12 -#server.ssl.key-store-password=ENC(DiIYnAMab4u7rEW2yKhF9zBL00uU55q8) -#server.ssl.keyStoreType=PKCS12 -#server.ssl.keyAlias=widget-microservice diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml deleted file mode 100644 index f3da66f882..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -jasypt: - encryptor: - password: ${JASYPT_ENC_KEY} diff --git a/kubernetes/portal/components/portal-widget/templates/NOTES.txt b/kubernetes/portal/components/portal-widget/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-widget/templates/configmap.yaml b/kubernetes/portal/components/portal-widget/templates/configmap.yaml deleted file mode 100644 index 58acd42a69..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapwidgetms - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPWIDGETMS/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-widget/templates/deployment.yaml b/kubernetes/portal/components/portal-widget/templates/deployment.yaml deleted file mode 100644 index e9ecece41e..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-widget-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.*` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - - name: WIDGET_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "login") | indent 12 }} - - name: WIDGET_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "password") | indent 12 }} - - name: ACC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "login") | indent 12 }} - - name: ACC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "password") | indent 12 }} - - name: JASYPT_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "jasypt-enc-key" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapwidgetms-scrubbed - - mountPath: /config - name: properties-onapwidgetms - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /start-wms.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapwidgetms - mountPath: "/application.properties" - subPath: application.properties - - name: properties-onapwidgetms - mountPath: "/application.yml" - subPath: application.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapwidgetms - emptyDir: - medium: Memory - - name: properties-onapwidgetms-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapwidgetms - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-widget/templates/secret.yaml b/kubernetes/portal/components/portal-widget/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-widget/templates/service.yaml b/kubernetes/portal/components/portal-widget/templates/service.yaml deleted file mode 100644 index 5197841189..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml deleted file mode 100644 index dfa51d8c7b..0000000000 --- a/kubernetes/portal/components/portal-widget/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: portal-widget - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.widgetCredsExternalSecret) . }}' - login: '{{ .Values.config.widgetUsername }}' - password: '{{ .Values.config.widgetPassword }}' - passwordPolicy: required - - uid: portal-account - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.accountCredsExternalSecret) . }}' - login: '{{ .Values.config.accountUsername }}' - password: '{{ .Values.config.accountPassword }}' - passwordPolicy: required - - uid: jasypt-enc-key - type: password - externalSecret: '{{ .Values.config.jasyptEncKeyExternalSecret}}' - password: '{{ .Values.config.jasyptEncKey }}' - passwordPolicy: required - -config: - widgetUsername: widget_user - widgetPassword: widget_pass -# widgetCredsExternalSecret: some secret - accountUsername: portal - accountPassword: portal -# accountCredsExternalSecret: some secret - jasyptEncKey: EncryptionKey - # jasyptEncKeyExternalSecret: some secret - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/portal-wms:3.4.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -service: - type: ClusterIP - name: portal-widget - portName: portal-widget - externalPort: 8082 - internalPort: 8082 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 430Mi - requests: - cpu: 1m - memory: 360Mi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-widget - roles: - - read \ No newline at end of file diff --git a/kubernetes/portal/docker/init/mariadb-client/Dockerfile b/kubernetes/portal/docker/init/mariadb-client/Dockerfile deleted file mode 100644 index 72f60d35ad..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM boxfuse/flyway:5.0.7-alpine - -ARG branch=3.0.0-ONAP -ENV no_proxy "localhost,127.0.0.1,.cluster.local,$KUBERNETES_SERVICE_HOST" -# Setup Corporate proxy -ENV https_proxy ${HTTP_PROXY} -ENV http_proxy ${HTTPS_PROXY} - -RUN apk add --update \ - mariadb-client=10.1.32-r0 \ - git \ - && rm -rf /var/cache/apk/* - -ENV so_branch=$branch -#ENV policy_branch: $branch -ENV portal_branch=$branch -#ENV sdnc_branch: $branch -#ENV vid_branch: $branch -#ENV clamp_branch: $branch - -#ENV appc_repo: http://gerrit.onap.org/r/appc/deployment.git -ENV so_repo=http://gerrit.onap.org/r/so/docker-config.git -#ENV policy_repo: http://gerrit.onap.org/r/policy/docker.git -ENV portal_repo=http://gerrit.onap.org/r/portal.git -#ENV sdnc_repo: http://gerrit.onap.org/r/sdnc/oam.git -#ENV vid_repo: http://gerrit.onap.org/r/vid.git -#ENV clamp_repo: http://gerrit.onap.org/r/clamp.git - -RUN mkdir -p /onap-sources -WORKDIR /onap-sources - -RUN git clone -b $branch $portal_repo && cd portal && git checkout HEAD -RUN git clone -b $branch $so_repo && cd docker-config && git checkout HEAD - -VOLUME /onap-sources - -COPY db_migrate.sh /root - -RUN chmod a+x /root/db_migrate.sh -ENTRYPOINT /root/db_migrate.sh diff --git a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh b/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh deleted file mode 100644 index 2b90a994c3..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -x - -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SQL_DEST_DIR=${SQL_DEST_DIR:-/tmp/sql} -DB_PORT=${DB_PORT:-3306} - -[ -z "$SQL_SRC_DIR" ] && { echo "Error: SQL_SRC_DIR must be provided as an environment variable"; exit 1; } -[ -z "$DB_USER" ] && { echo "Error: DB_USER must be provided as an environment variable"; exit 1; } -[ -z "$DB_PASS" ] && { echo "Error: DB_PASS must be provided as an environment variable"; exit 1; } -[ -z "$DB_HOST" ] && { echo "Error: DB_HOST must be provided as an environment variable"; exit 1; } - -mkdir -p $SQL_DEST_DIR - -#Find all sql files and copy them to the destination directory -find "/onap-sources/$SQL_SRC_DIR" -type f -iname "*.sql" | awk -v dest="$SQL_DEST_DIR" '{n=split($1,a,"/"); system(sprintf( "cp %s %s", $1, dest"/"a[n])) }' - - -#Not needed right now? -#--database=$DB_NAME - -#--force to deal with duplicate records in absense of "insert ignore" -##ERROR 1062 (23000) at line 382: Duplicate entry '2' for key 'PRIMARY' - -cd $SQL_DEST_DIR -cat *.sql | mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT --force diff --git a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml b/kubernetes/portal/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 56ed10a50c..0000000000 --- a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/portal/templates/configmap.yaml b/kubernetes/portal/templates/configmap.yaml deleted file mode 100644 index 681f24eff3..0000000000 --- a/kubernetes/portal/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/portal/templates/secrets.yaml b/kubernetes/portal/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml deleted file mode 100644 index 0e6c9d63f5..0000000000 --- a/kubernetes/portal/values.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - env: - tomcatDir: "/usr/local/tomcat" - # portal frontend port - portalPort: "8989" - portalFEPort: "30225" - # application's front end hostname. Must be resolvable on the client side environment - portalHostName: "portal.api.simpledemo.onap.org" - - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: portal-cass - name: &dbSecretName '{{ include "common.release" . }}-portal-cass-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - - uid: portal-backend-db - name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -config: - logstashServiceName: log-ls - logstashPort: 5044 - cassandraUsername: root - cassandraPassword: Aa123456 -# casandraCredsExternalSecret: some secret - -portal-mariadb: - nameOverride: portal-db -mariadb: - service: - name: portal-db - config: -# backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - cassandraExternalSecret: *dbSecretName -portal-app: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -portal-sdk: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -messageRouter: - service: - name: message-router -ingress: - enabled: false diff --git a/kubernetes/robot/Chart.yaml b/kubernetes/robot/Chart.yaml index 343279ce1d..d1f835342b 100644 --- a/kubernetes/robot/Chart.yaml +++ b/kubernetes/robot/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: A helm Chart for kubernetes-ONAP Robot name: robot -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 3f8ac9deec..0e8f11afcc 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -55,9 +55,6 @@ usage () echo " demo-k8s.sh preload " echo " - Preload data for VNF for the " echo " " - echo " demo-k8s.sh appc " - echo " - provide APPC with vFW module mount point for closed loop" - echo " " echo " demo-k8s.sh init_robot [ ]" echo " - Initialize robot after all ONAP VMs have started" echo " " @@ -168,16 +165,6 @@ do VARIABLES="$VARIABLES -v MODULE_NAME:$1" shift ;; - appc) - TAG="APPCMountPointDemo" - shift - if [ $# -ne 1 ];then - echo "Usage: demo-k8s.sh appc " - exit - fi - VARIABLES="$VARIABLES -v MODULE_NAME:$1" - shift - ;; instantiateVFW) TAG="instantiateVFW" VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" diff --git a/kubernetes/robot/ete-k8s.sh b/kubernetes/robot/ete-k8s.sh index 82bf836ade..aa02e17867 100755 --- a/kubernetes/robot/ete-k8s.sh +++ b/kubernetes/robot/ete-k8s.sh @@ -31,7 +31,7 @@ if [ "$1" = "" ] || [ "$2" = "" ]; then echo " InitDistribution, PreloadDemo, deleteVNF, instantiateDemoVFWCL, instantiateVFW, " echo " instantiateVFWCL, instantiateVFWDT, instantiateVFWCLDN" echo "" - echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai, health-appc," + echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai," echo " health-clamp, health-cli, health-dcae, health-dmaap, health-log, health-modeling, health-msb," echo " health-multicloud, health-oof, health-policy, health-pomba, health-portal, health-sdc, health-sdnc," echo " health-so, health-uui, health-vfc, health-vid, health-vnfsdk, healthdist, healthlogin, healthmr," diff --git a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py index 8365c68297..e52e48c548 100644 --- a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py +++ b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py @@ -16,8 +16,6 @@ GLOBAL_INJECTED_AAF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-service") }}' GLOBAL_INJECTED_AAI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aai") }}' -GLOBAL_INJECTED_APPC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc") }}' -GLOBAL_INJECTED_APPC_CDT_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc-cdt") }}' GLOBAL_INJECTED_ARTIFACTS_VERSION = '{{.Values.demoArtifactsVersion}}' GLOBAL_INJECTED_ARTIFACTS_REPO_URL = "{{ .Values.demoArtifactsRepoUrl }}" GLOBAL_INJECTED_CLAMP_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "policy-gui") }}' @@ -27,11 +25,11 @@ GLOBAL_INJECTED_DCAE_COLLECTOR_IP = "{{ .Values.dcaeCollectorIp }}" GLOBAL_INJECTED_DCAE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-healthcheck") }}' GLOBAL_INJECTED_DCAE_MS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ms-healthcheck") }}' GLOBAL_INJECTED_DCAE_VES_HOST = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ves-collector") }}' -GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' -GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' GLOBAL_INJECTED_DNS_IP_ADDR = 'N/A' GLOBAL_INJECTED_DOCKER_VERSION = '1.2-STAGING-latest' GLOBAL_INJECTED_EXTERNAL_DNS = 'N/A' +GLOBAL_INJECTED_HOLMES_ENGINE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-engine-mgmt") }}' +GLOBAL_INJECTED_HOLMES_RULE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-rule-mgmt") }}' GLOBAL_INJECTED_LOG_ELASTICSEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-es") }}' GLOBAL_INJECTED_LOG_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-kibana") }}' GLOBAL_INJECTED_LOG_LOGSTASH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-ls-http") }}' @@ -46,8 +44,6 @@ GLOBAL_INJECTED_POMBA_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict GLOBAL_INJECTED_POMBA_ELASTIC_SEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-es") }}' GLOBAL_INJECTED_POMBA_CONTEX_TAGGREGATOR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-contextaggregator") }}' GLOBAL_INJECTED_KEYSTONE = '{{ .Values.openStackKeyStoneUrl }}' -GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' -GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' GLOBAL_INJECTED_MUSIC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "music") }}' GLOBAL_INJECTED_NBI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "nbi") }}' GLOBAL_INJECTED_NETWORK = '{{ .Values.openStackPrivateNetId }}' @@ -60,6 +56,14 @@ GLOBAL_INJECTED_OOF_HOMING_IP_ADDR = '{{include "robot.ingress.svchost" (dict "r GLOBAL_INJECTED_OOF_SNIRO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-osdf") }}' GLOBAL_INJECTED_OOF_CMSO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-cmso") }}' GLOBAL_INJECTED_MSB_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "msb-iag") }}' +GLOBAL_INJECTED_MC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud") }}' +GLOBAL_INJECTED_MC_PIKE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-pike") }}' +GLOBAL_INJECTED_MC_PROMETHEUS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-prometheus") }}' +GLOBAL_INJECTED_MC_STARLINGX_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-starlingx") }}' +GLOBAL_INJECTED_MC_TC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-titaniumcloud") }}' +GLOBAL_INJECTED_MC_VIO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-vio") }}' +GLOBAL_INJECTED_MC_K8S_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-k8s") }}' +GLOBAL_INJECTED_MC_FCAPS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-fcaps") }}' GLOBAL_INJECTED_OPENSTACK_API_KEY = '{{ .Values.config.openStackEncryptedPasswordHere}}' GLOBAL_INJECTED_OPENSTACK_TENANT_ID = '{{ .Values.openStackTenantId }}' GLOBAL_INJECTED_OPENSTACK_USERNAME = '{{ .Values.openStackUserName }}' @@ -69,6 +73,7 @@ GLOBAL_INJECTED_OPENSTACK_USER_DOMAIN = '{{ .Values.openStackUserDomain }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION = '{{ .Values.openStackKeystoneAPIVersion }}' GLOBAL_INJECTED_REGION_THREE = '{{ .Values.openStackRegionRegionThree }}' GLOBAL_INJECTED_KEYSTONE_REGION_THREE = '{{ .Values.openStackKeyStoneUrlRegionThree }}' +GLOBAL_INJECTED_MODEL_PARSER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "modeling-etsicatalog") }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION_REGION_THREE = '{{ .Values.openStackKeystoneAPIVersionRegionThree }}' GLOBAL_INJECTED_OPENSTACK_USERNAME_REGION_THREE = '{{ .Values.openStackUserNameRegionThree }}' GLOBAL_INJECTED_OPENSTACK_SO_ENCRYPTED_PASSWORD_REGION_THREE = '{{ .Values.openSackMsoEncryptdPasswordRegionThree }}' @@ -114,6 +119,14 @@ GLOBAL_INJECTED_SO_VNFM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root GLOBAL_INJECTED_SO_NSSMF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-nssmf-adapter") }}' GLOBAL_INJECTED_UBUNTU_1404_IMAGE = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_UBUNTU_1604_IMAGE = '{{ .Values.ubuntu16Image }}' +GLOBAL_INJECTED_UUI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "uui-server") }}' +GLOBAL_INJECTED_VFC_GVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-generic-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_HUAWEIVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-huawei-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_NSLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-nslcm") }}' +GLOBAL_INJECTED_VFC_VNFLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnflcm") }}' +GLOBAL_INJECTED_VFC_VNFMGR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfmgr") }}' +GLOBAL_INJECTED_VFC_VNFRES_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfres") }}' +GLOBAL_INJECTED_VFC_ZTEVNFDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-zte-vnfm-driver") }}' GLOBAL_INJECTED_VM_IMAGE_NAME = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_DANOS_IMAGE_NAME = '{{ .Values.danosImage }}' GLOBAL_INJECTED_DANOS_FLAVOR = '{{ .Values.danosFlavor }}' @@ -129,37 +142,28 @@ GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}' GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD] # aai info - everything is from the private oam network (also called onap private network) GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}' -GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 80 ) }}' GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}' GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}' GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD] -# appc info - everything is from the private oam network (also called onap private network) -GLOBAL_APPC_SERVER_PROTOCOL = "https" -GLOBAL_APPC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc" "port" 8443) }}' -GLOBAL_APPC_USERNAME = '{{ .Values.appcUsername }}' -GLOBAL_APPC_PASSWORD = '{{ .Values.appcPassword }}' -GLOBAL_APPC_AUTHENTICATION = [GLOBAL_APPC_USERNAME, GLOBAL_APPC_PASSWORD] -GLOBAL_APPC_CDT_SERVER_PROTOCOL = "https" -GLOBAL_APPC_CDT_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc-cdt" "port" 18080) }}' -GLOBAL_APPC_CDT_USERNAME = "demo" # sdc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" ( ternary 9443 8181 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" ( ternary 8445 8081 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_SDC_SERVER_PROTOCOL = 'http' +GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" 8181) }}' +GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" 8080) }}' +GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" 8081) }}' GLOBAL_SDC_DCAE_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-dcae-be" "port" 8444) }}' GLOBAL_SDC_USERNAME = '{{ .Values.sdcUsername }}' GLOBAL_SDC_PASSWORD = '{{ .Values.sdcPassword }}' GLOBAL_SDC_AUTHENTICATION = [GLOBAL_SDC_USERNAME, GLOBAL_SDC_PASSWORD] # clamp info - everything is from the private oam network (also called onap private network) -GLOBAL_CLAMP_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_CLAMP_SERVER_PROTOCOL = 'http' GLOBAL_CLAMP_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-gui" "port" 2443) }}' # nbi info - everything is from the private oam network (also called onap private network) -GLOBAL_NBI_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_NBI_SERVER_PROTOCOL = 'http' +GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" 8080) }}' # cli info - everything is from the private oam network (also called onap private network) -GLOBAL_CLI_SERVER_PROTOCOL = "https" -GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 443) }}' +GLOBAL_CLI_SERVER_PROTOCOL = "http" +GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 8080) }}' # dcae info - everything is from the private oam network (also called onap private network) GLOBAL_DCAE_SERVER_PROTOCOL = "http" GLOBAL_DCAE_HEALTH_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-healthcheck" "port" 80) }}' @@ -175,27 +179,44 @@ GLOBAL_DCAE_AUTHENTICATION = [GLOBAL_DCAE_USERNAME, GLOBAL_DCAE_PASSWORD] # dcae hv-ves info GLOBAL_DCAE_HVVES_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-hv-ves-collector") }}' GLOBAL_DCAE_HVVES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-hv-ves-collector" "port" 6061) }}' -# data router info - everything is from the private oam network (also called onap private network) -GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 443) }}' -GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -# dmaap message router info + +#DMAAP +# message router info - everything is from the private oam network (also called onap private network) +GLOBAL_MR_SERVER_PROTOCOL = "http" +GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' +GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# dmaap kafka info -GLOBAL_DMAAP_KAFKA_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router-kafka") }}' -GLOBAL_DMAAP_KAFKA_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router-kafka" "port" 9092) }}' -GLOBAL_DMAAP_KAFKA_JAAS_USERNAME = '{{ .Values.kafkaJaasUsername }}' -GLOBAL_DMAAP_KAFKA_JAAS_PASSWORD = '{{ .Values.kafkaJaasPassword }}' +# bus controller info +GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' +GLOBAL_BC_SERVER_PROTOCOL = 'http' +GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" 8080) }}' +GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' +GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +# data router info - everything is from the private oam network (also called onap private network) +GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' +GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' + # strimzi kafka GLOBAL_KAFKA_BOOTSTRAP_SERVICE = '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' -GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaJaasUsername }}' +GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaUsername }}' + # DROOL server port and credentials GLOBAL_DROOLS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-drools-pdp" "port" 9696) }}' GLOBAL_DROOLS_USERNAME = '{{ .Values.droolsUsername }}' GLOBAL_DROOLS_PASSWORD = '{{ .Values.droolsPassword }}' GLOBAL_DROOLS_AUTHENTICATION = [GLOBAL_DROOLS_USERNAME, GLOBAL_DROOLS_PASSWORD] + +# holmes info +GLOBAL_HOLMES_ENGINE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_ENGINE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-engine-mgmt" "port" 9102) }}' +GLOBAL_HOLMES_RULE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_RULE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-rule-mgmt" "port" 9101) }}' + # log server config - NOTE: no log server is run in HEAT; only on OOM GLOBAL_LOG_SERVER_PROTOCOL = "http" GLOBAL_LOG_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "log-es" "port" 9200) }}' @@ -216,16 +237,27 @@ GLOBAL_POMBA_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . GLOBAL_POMBA_CONTEXTAGGREGATOR_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "pomba-contextaggregator" "port" 9529) }}' # microservice bus info - everything is from the private oam network (also called onap private network) -GLOBAL_MSB_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "msb-iag" "port" ( ternary 443 80 (eq "true" (include "common.needTLS" . )))) }}' -# message router info - everything is from the private oam network (also called onap private network) -GLOBAL_MR_SERVER_PROTOCOL = "http" -GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# bus controller info -GLOBAL_BC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' -GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +GLOBAL_MSB_SERVER_PROTOCOL = 'http' +GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "msb-iag" "port" 80) }}' + +# multicloud info +GLOBAL_MC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PIKE_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PROMETHEUS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_STARLINGX_SERVER_PROTOCOL = 'http' +GLOBAL_MC_TC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_VIO_SERVER_PROTOCOL = 'http' +GLOBAL_MC_K8S_SERVER_PROTOCOL = 'http' +GLOBAL_MC_FCAPS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud" "port" 9001) }}' +GLOBAL_MC_PIKE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-pike" "port" 9007) }}' +GLOBAL_MC_PROMETHEUS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-prometheus" "port" 9090) }}' +GLOBAL_MC_STARLINGX_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-starlingx" "port" 9009) }}' +GLOBAL_MC_TC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-titaniumcloud" "port" 9005) }}' +GLOBAL_MC_VIO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-vio" "port" 9004) }}' +GLOBAL_MC_K8S_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-k8s" "port" 9015) }}' +GLOBAL_MC_FCAPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-fcaps" "port" 9011) }}' + # dcae inventory and deployment handler info GLOBAL_INVENTORY_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "inventory") }}' GLOBAL_INVENTORY_SERVER_PROTOCOL = "https" @@ -286,11 +318,14 @@ GLOBAL_SO_VFC_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VFC_IP_ADDR + ':' + GLOB GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT GLOBAL_SO_NSSMF_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_NSSMF_IP_ADDR + ':' + GLOBAL_SO_NSSMF_SERVER_PORT #GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT +# modeling info +GLOBAL_MODEL_PARSER_SERVER_PROTOCOL = "http" +GLOBAL_MODEL_PARSER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "modeling-etsicatalog" "port" 8806) }}' # music info - everything is from the private oam network (also called onap private network) GLOBAL_MUSIC_SERVER_PROTOCOL = "https" GLOBAL_MUSIC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "music" "port" 8443) }}' # oof global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_OOF_SERVER_PROTOCOL = 'http' # oof-homing info - everything is from the private oam network (also called onap private network) GLOBAL_OOF_HOMING_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-has-api" "port" 8091) }}' GLOBAL_OOF_HOMING_USERNAME="{{ .Values.oofHomingUsername }}" @@ -304,7 +339,7 @@ GLOBAL_OOF_OSDF_PASSWORD="{{ .Values.oofPassword }}" GLOBAL_OOF_PCI_USERNAME="{{ .Values.oofOsdfPciOptUsername }}" GLOBAL_OOF_PCI_PASSWORD="{{ .Values.oofOsdfPciOptPassword }}" # oof cmso global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_CMSO_PROTOCOL = "https" +GLOBAL_OOF_CMSO_PROTOCOL = "http" GLOBAL_OOF_CMSO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-cmso" "port" 8080) }}' GLOBAL_OOF_CMSO_USERNAME = "{{ .Values.oofCmsoUsername }}" GLOBAL_OOF_CMSO_PASSWORD = "{{ .Values.oofCmsoPassword }}" @@ -315,7 +350,7 @@ GLOBAL_PACKET_GENERATOR_USERNAME = "admin" GLOBAL_PACKET_GENERATOR_PASSWORD = "admin" GLOBAL_PGN_PORT = "2831" # policy info - everything is from the private oam network (also called onap private network) -GLOBAL_POLICY_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_POLICY_SERVER_PROTOCOL = 'http' GLOBAL_POLICY_SERVER_PORT = "8081" GLOBAL_POLICY_HEALTHCHECK_PORT = "6969" GLOBAL_POLICY_AUTH = '{{ .Values.policyAuth}}' @@ -332,9 +367,9 @@ GLOBAL_PORTAL_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "host GLOBAL_PORTAL_USERNAME = '{{ .Values.portalUsername }}' GLOBAL_PORTAL_PASSWORD = '{{ .Values.portalPassword }}' # sdnc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDNC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" ( ternary 8443 8282 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_SDNC_SERVER_PROTOCOL = 'http' +GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" 8282) }}' +GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" 8080) }}' GLOBAL_SDNC_USERNAME = '{{ .Values.sdncUsername }}' GLOBAL_SDNC_PASSWORD = '{{ .Values.sdncPassword }}' GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] @@ -342,6 +377,24 @@ GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] GLOBAL_SMS_SERVER_PROTOCOL = "https" GLOBAL_SMS_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-sms") }}' GLOBAL_SMS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aaf-sms" "port" 10443) }}' +# uui info +GLOBAL_UUI_SERVER_PROTOCOL = "http" +GLOBAL_UUI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "uui-server" "port" 8082) }}' +# vfc info +GLOBAL_VFC_GVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_GVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-generic-vnfm-driver" "port" 8484) }}' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-huawei-vnfm-driver" "port" 8482) }}' +GLOBAL_VFC_NSLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_NSLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-nslcm" "port" 8403) }}' +GLOBAL_VFC_VNFLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnflcm" "port" 8801) }}' +GLOBAL_VFC_VNFMGR_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFMGR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfmgr" "port" 8803) }}' +GLOBAL_VFC_VNFRES_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFRES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfres" "port" 8802) }}' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-zte-vnfm-driver" "port" 8410) }}' # vid info - everything is from the private oam network (also called onap private network) GLOBAL_VID_SERVER_PROTOCOL = '{{ .Values.vidServerProtocol }}' GLOBAL_VID_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "clamp" "port" (.Values.vidServerPort | default 0 | int)) }}' @@ -350,13 +403,13 @@ GLOBAL_VID_PASSWORD = '{{ .Values.vidPassword}}' GLOBAL_VID_HEALTH_USERNAME = '{{ .Values.vidHealthUsername }}' GLOBAL_VID_HEALTH_PASSWORD = '{{ .Values.vidHealthPassword }}' # vnfsdk info - everything is from the private oam network (also called onap private network) -GLOBAL_VNFSDK_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_VNFSDK_SERVER_PROTOCOL = 'http' GLOBAL_VNFSDK_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "refrepo" "port" 8703) }}' GLOBAL_DCAE_VES_PROTOCOL = "http" GLOBAL_DCAE_VES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector" "port" 8080) }}' GLOBAL_DCAE_VES_HTTPS_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" 8080) }}' GLOBAL_DCAE_VES_USERNAME = 'sample1' GLOBAL_DCAE_VES_PASSWORD = 'sample1' diff --git a/kubernetes/robot/templates/deployment.yaml b/kubernetes/robot/templates/deployment.yaml index 7d588e4de4..4736d6d00a 100644 --- a/kubernetes/robot/templates/deployment.yaml +++ b/kubernetes/robot/templates/deployment.yaml @@ -66,9 +66,6 @@ spec: volumeMounts: - name: dshm mountPath: /dev/shm - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: robot-eteshare mountPath: /share/config - name: robot-lighttpd @@ -77,8 +74,7 @@ spec: mountPath: /etc/lighttpd/ssl - name: robot-logs mountPath: /share/logs - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -98,9 +94,6 @@ spec: - name: dshm emptyDir: medium: Memory - - name: localtime - hostPath: - path: /etc/localtime - name: robot-eteshare configMap: name: {{ include "common.fullname" . }}-eteshare-configmap @@ -113,5 +106,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-lighttpd-ssl-configmap defaultMode: 0600 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index bf11e1306e..6025462649 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -22,7 +22,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/testsuite:1.11.1 +image: onap/testsuite:1.12.2 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 @@ -44,14 +44,6 @@ config: enabled: true https: true hostname: aai.api.sparky - appc: - enabled: true - https: true - hostname: appc.api - appc_cdt: - enabled: true - https: true - hostname: appccdt clamp: enabled: true https: true @@ -65,13 +57,20 @@ config: dcae_ves_colector_https: enabled: false https: true + message_router: + enabled: false + https: false + dmaap_bc: + enabled: true + https: false + hostname: dmaapbc dmaap_dr_prov: enabled: true - https: true + https: false hostname: dmaapdrprov dmaap_dr_node: enabled: true - https: true + https: false hostname: dmaapdrnode log_es: enabled: false @@ -99,13 +98,6 @@ config: enabled: false pomba_contextaggregator: enabled: false - message_router: - enabled: false - https: true - dmaap_bc: - enabled: true - https: true - hostname: dmaapbc music: enabled: false https: true @@ -138,8 +130,6 @@ config: enabled: false policy_apex_pdp: enabled: false - policy_distribution: - enabled: false portal_app: enabled: false https: true @@ -194,8 +184,6 @@ config: hostname: blueprintsprocessorhttp dcae_hv_ves_collector: enabled: false - message_router_kafka: - enabled: false inventory: enabled: false https: true @@ -319,9 +307,6 @@ aafPassword: "demo123456!" # AAI aaiUsername: "aai@aai.onap.org" aaiPassword: "demo123456!" -# APPC -appcUsername: "appc@appc.onap.org" -appcPassword: "demo123456!" # SDC sdcUsername: "beep" sdcPassword: "boop" @@ -361,16 +346,13 @@ vidUsername: "demo" vidPassword: "Kp8bJ4SXszM0WX" vidHealthUsername: "Default" vidHealthPassword: "AppPassword!1" + # DMAAP BC bcUsername: "dmaap-bc@dmaap-bc.onap.org" bcPassword: "demo123456!" -# DMAAP KAFKA JAAS -kafkaJaasUsername: "admin" -kafkaJaasPassword: "admin_secret" - -# STRIMZI KAFKA JAAS -strimziKafkaJaasUsername: "strimzi-kafka-admin" +# STRIMZI KAFKA +strimziKafkaUsername: "strimzi-kafka-admin" #OOF oofUsername: "oof@oof.onap.org" @@ -400,18 +382,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2000m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4000m" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1000m" + memory: "2Gi" unlimited: {} # probe configuration parameters diff --git a/kubernetes/sdc/Chart.yaml b/kubernetes/sdc/Chart.yaml index aaa3ac29b7..86d3408f0e 100644 --- a/kubernetes/sdc/Chart.yaml +++ b/kubernetes/sdc/Chart.yaml @@ -18,30 +18,33 @@ apiVersion: v2 description: Service Design and Creation Umbrella Helm charts name: sdc -version: 12.0.0 +version: 13.0.1 dependencies: + - name: common + version: ~13.x-0 + repository: '@local' - name: sdc-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-be' - name: sdc-cs - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-cs' - name: sdc-fe - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-fe' - name: sdc-onboarding-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-onboarding-be' - name: sdc-wfd-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-be' condition: sdc-wfd.enabled - name: sdc-wfd-fe - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-fe' condition: sdc-wfd.enabled - name: sdc-helm-validator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-helm-validator' condition: sdcHelmValidator.enabled diff --git a/kubernetes/sdc/components/sdc-be/Chart.yaml b/kubernetes/sdc/components/sdc-be/Chart.yaml index e4052afc3d..e93607c017 100644 --- a/kubernetes/sdc/components/sdc-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-be/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP Service Design and Creation Backend API name: sdc-be -version: 12.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 + - name: common + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index 16fc57aa92..229d4233cc 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -24,16 +24,16 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: - - --container-name - - "sdc-onboarding-be" + - --service-name + - sdc-onboarding-be {{- if not .Values.global.kafka.useKafka }} - - --container-name - - "message-router" + - --service-name + - message-router {{- end }} env: - name: NAMESPACE @@ -45,11 +45,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -57,7 +57,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init + - {{ include "common.release" . }}-sdc-onboarding-be env: - name: NAMESPACE valueFrom: @@ -66,59 +66,16 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: {{ include "common.containerPorts" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: @@ -139,7 +96,6 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} - resources: {{ include "common.resources" . | nindent 12 }} startupProbe: httpGet: path: /sdc2/rest/healthCheck @@ -163,24 +119,16 @@ spec: fieldPath: status.podIP {{- if .Values.global.kafka.useKafka }} - name: SASL_JAAS_CONFIG - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-be-kafka-secret" "key" "sasl.jaas.config") | indent 12 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config - name: USE_KAFKA value: {{ .Values.global.kafka.useKafka | quote }} {{- end }} volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - name: logback @@ -193,23 +141,15 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index 5f70991e6f..30400a80b7 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -17,10 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-config-backend - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -39,7 +36,7 @@ spec: command: - /app/ready.py args: - - --container-name + - --service-name - sdc-be - "-t" - "35" @@ -51,11 +48,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.backendInitImage }} @@ -74,12 +71,13 @@ spec: fieldPath: status.podIP resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 200Mi + cpu: "200m" + memory: "200Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: @@ -87,6 +85,4 @@ spec: defaultMode: 0755 - name: sdc-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml new file mode 100644 index 0000000000..5033d9d9aa --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkauser" . }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml b/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml deleted file mode 100644 index 6cd7f93c5a..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.kafka.useKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.kafka.sdcBeKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMech }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.topicConsumer.groupId }}-{{ .Values.env.name }} - operation: Read - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.topicConsumer.pattern }} - operation: All -{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml b/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml deleted file mode 100644 index 9a6f7579e8..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.global.kafka.useKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: sdc-distro-notif-topic - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.global.kafka.topics.sdcDistNotifTopic }}-{{ .Values.env.name }} - config: - retention.ms: {{ .Values.config.kafka.topicRetentionMs }} - segment.bytes: {{ .Values.config.kafka.topicSegmentBytes }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: sdc-distro-status-topic - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.global.kafka.topics.sdcDistStatusTopic }}-{{ .Values.env.name }} - config: - retention.ms: {{ .Values.config.kafka.topicRetentionMs }} - segment.bytes: {{ .Values.config.kafka.topicSegmentBytes }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/templates/secret.yaml b/kubernetes/sdc/components/sdc-be/templates/secret.yaml deleted file mode 100644 index bb5091f01a..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index faf46e5549..7f914d4bdf 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -19,7 +19,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled @@ -31,20 +30,17 @@ global: replicaCount: 3 clusterName: cassandra dataCenter: Pod - # Strimzi kafka config + # Global Strimzi kafka config overridden + # from parent values.yaml kafka: useKafka: overridden-from-parent-values-yaml - sdcBeKafkaUser: overridden-from-parent-values-yaml - topics: - sdcDistNotifTopic: overridden-from-parent-values-yaml - sdcDistStatusTopic: overridden-from-parent-values-yaml ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.12.0 -backendInitImage: onap/sdc-backend-init:1.12.0 +image: onap/sdc-backend-all-plugins:1.13.6 +backendInitImage: onap/sdc-backend-init:1.13.6 pullPolicy: Always @@ -53,54 +49,26 @@ debugEnabled: false #environment file env: - name: AUTO - -certInitializer: - nameOverride: sdc-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + name: &env AUTO ################################################################# # SDC Config part ################################################################# - -secrets: - - uid: sdc-be-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - config: javaOptions: "-Xmx1536m -Xms1536m" cassandraSslEnabled: "false" - # Strimzi kafka config - kafka: - saslMech: scram-sha-512 - securityProtocol: SASL_PLAINTEXT - authType: simple - topicRetentionMs: 7200000 - topicSegmentBytes: 1073741824 - topicConsumer: - pattern: SDC-DIST - groupId: sdc + +kafkaUser: + acls: + - name: sdc + suffix: *env + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + # default number of instances replicaCount: 1 @@ -137,39 +105,49 @@ startup: service: type: NodePort name: sdc-be - both_tls_and_plain: true internalPort: 8080 - msb: - - port: 8443 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc - enable_ssl: true - - port: 8080 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc-deprecated ports: - name: tcp-api - port: 8443 - plain_port: 8080 + port: 8080 port_protocol: http nodePort: '04' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "sdc-be", + "version": "v1", + "url": "/sdc/v1", + "path":"/sdc/v1", + "protocol": "REST", + "visualRange":"1", + "port": "{{ .Values.service.internalPort }}", + } + ]{{ end }} ingress: enabled: false service: - baseaddr: "sdc-be-api" name: "sdc-be" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: modeling-etsicatalog-read + - serviceAccount: nbi-read + - serviceAccount: oof-has-read + - serviceAccount: portal-db-read + - serviceAccount: so-cnfm-lcm-read + - serviceAccount: so-etsi-sol003-adapter-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small flavor: small @@ -177,18 +155,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "3Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "3Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-cs/Chart.yaml b/kubernetes/sdc/components/sdc-cs/Chart.yaml index a7e2d1afa8..f0bbbca1d9 100644 --- a/kubernetes/sdc/components/sdc-cs/Chart.yaml +++ b/kubernetes/sdc/components/sdc-cs/Chart.yaml @@ -18,20 +18,20 @@ apiVersion: v2 description: ONAP Service Design and Creation Cassandra name: sdc-cs -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml index 0eeeff52da..c715342d5e 100644 --- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml @@ -17,14 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-config-cassandra - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -41,12 +34,8 @@ spec: command: - /app/ready.py args: - - --container-name - {{- if .Values.global.sdc_cassandra.localCluster }} - - sdc-cs - {{- else }} - - cassandra - {{- end }} + - --service-name + - {{ .Values.global.sdc_cassandra.serviceName }} - "-t" - "15" env: @@ -57,11 +46,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.cassandraInitImage }} @@ -71,6 +60,8 @@ spec: mountPath: /home/sdc/chef-solo/environments/ - name: {{ include "common.fullname" . }}-chef-cache mountPath: /home/sdc/chef-solo/cache + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: ENVNAME value: {{ .Values.env.name }} @@ -91,11 +82,11 @@ spec: fieldPath: status.podIP resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 300Mi + cpu: "200m" + memory: "300Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: @@ -105,6 +96,7 @@ spec: defaultMode: 0755 - name: {{ include "common.fullname" . }}-chef-cache emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index b3dfbfa0ba..b8986ee104 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -18,20 +18,39 @@ ################################################################# global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled localCluster: false + + # in case of a local cassandra cluster + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case of local k8ssandra-operator instance it is + #serviceName: sdc-cs-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled #to match with its own cluster replica replicaCount: 3 clusterName: cassandra - dataCenter: Pod + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" ################################################################# # Application configuration defaults. @@ -48,11 +67,14 @@ cassandra: persistence: mountSubPath: sdc/sdc-cs/CS enabled: true + k8ssandraOperator: + config: + clusterName: sdc-cs # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.12.0 -cassandraInitImage: onap/sdc-cassandra-init:1.12.0 +image: onap/sdc-cassandra:1.13.6 +cassandraInitImage: onap/sdc-cassandra-init:1.13.6 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-fe/Chart.yaml b/kubernetes/sdc/components/sdc-fe/Chart.yaml index 7b646bdf30..5c05fdaba6 100644 --- a/kubernetes/sdc/components/sdc-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-fe/Chart.yaml @@ -18,15 +18,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Front End name: sdc-fe -version: 12.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml index cc91960dbf..1648555ffc 100644 --- a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml +++ b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml @@ -1,10 +1,6 @@ pluginsList: - pluginId: WORKFLOW - {{- if (include "common.needTLS" .) }} - pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.https }}" - {{- else }} pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.http }}" - {{- end }} pluginSourceUrl: "{{ .Values.config.plugins.workflow_source_url }}" pluginStateUrl: "workflowDesigner" pluginDisplayOptions: diff --git a/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml index 599e32e175..bfdf547ac1 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -44,7 +33,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-be-config-backend + - {{ include "common.release" . }}-sdc-be - "-t" - "35" env: @@ -55,65 +44,20 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -122,7 +66,7 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -130,7 +74,7 @@ spec: failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} @@ -149,17 +93,6 @@ spec: volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - name: configs @@ -175,10 +108,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: configs configMap: @@ -197,5 +127,4 @@ spec: defaultMode: 0755 - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-fe/templates/service.yaml index 30c3d1122f..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,39 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "sdc-gui", - "version": "v1", - "url": "/sdc1", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index abac356d40..5745f06be2 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -18,51 +18,24 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.12.0 +image: onap/sdc-frontend:1.13.6 pullPolicy: Always config: javaOptions: "-Xmx256m -Xms256m" plugins: dcae_discovery_url: - https: "https://sdc-dcae-fe:9444/dcaed/#/home" http: "http://sdc-dcae-fe:8183/dcaed/#/home" dcae_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30264/dcaed/#/home" dcae_dt_discovery_url: - https: "https://sdc-dcae-dt:9446/dcae/#/dcae/home" http: "http://sdc-dcae-dt:8186/dcae/#/dcae/home" dcae_dt_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30266/dcae/#/dcae/home" workflow_discovery_url: - https: "https://sdc-wfd-fe:8443/workflows" http: "http://sdc-wfd-fe:8080/workflows" workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30256/workflows/" @@ -106,47 +79,61 @@ startup: failureThreshold: 60 service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. type: NodePort name: sdc-fe - portName: http internalPort: 8181 - externalPort: 8181 - internalPort2: 9443 - externalPort2: 9443 - nodePort: "07" - + ports: + - name: http + port: 8181 + nodePort: '07' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "sdc-ui", + "version": "v1", + "url": "/sdc1", + "protocol": "UI", + "visualRange":"0|1", + "port": "{{ .Values.service.internalPort }}", + } + ]{{ end }} ingress: enabled: false service: - baseaddr: "sdc-fe-ui" name: "sdc-fe" - port: 9443 - plain_port: 8181 + port: 8181 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml index cf6948b66c..d114dc892e 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml @@ -19,12 +19,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Helm Validator name: sdc-helm-validator -version: 12.0.0 +version: 13.0.0 dependencies: - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml index f736a174db..f3572ca902 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml @@ -50,5 +50,4 @@ spec: periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} failureThreshold: {{ .Values.startup.failureThreshold }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-helm-validator/values.yaml b/kubernetes/sdc/components/sdc-helm-validator/values.yaml index 363a05934d..3470770ac6 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/values.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/values.yaml @@ -30,6 +30,11 @@ service: - name: &port http port: *svc_port +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read + liveness: initialDelaySeconds: 1 periodSeconds: 10 @@ -53,16 +58,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 1 - memory: 256Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml index 6032061d13..0e998b7765 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml @@ -18,15 +18,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Onboarding API name: sdc-onboarding-be -version: 12.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 8180cc79f1..24715bcaec 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -18,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -45,7 +33,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init + - {{ include "common.release" . }}-sdc-onboarding-be env: - name: NAMESPACE valueFrom: @@ -54,78 +42,21 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert - securityContext: - runAsUser: 0 - volumeMounts: - - name: cert-storage - mountPath: "/onboard/cert" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -135,7 +66,7 @@ spec: readinessProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -144,7 +75,7 @@ spec: startupProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} @@ -171,25 +102,12 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} - name: SDC_CERT_DIR - value: {{ .Values.cert.certDir }} + value: "" volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - - name: cert-storage - mountPath: "{{ .Values.cert.certDir }}" - name: logback mountPath: /tmp/logback.xml subPath: logback.xml @@ -200,27 +118,15 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - name: logs emptyDir: {} - - name: cert-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index bfc1ef8e7b..8ceca385a4 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -17,14 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-cassandra-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -42,7 +35,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra + - {{ include "common.release" . }}-sdc-cs - "-t" - "20" env: @@ -53,11 +46,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.onboardingInitImage }} @@ -72,6 +65,8 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-environments mountPath: /home/sdc/chef-solo/environments/ + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: ENVNAME value: {{ .Values.env.name }} @@ -92,17 +87,19 @@ spec: value: "{{ .Values.global.sdc_cassandra.serviceName }}" resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 200Mi + cpu: "200m" + memory: "200Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml deleted file mode 100644 index bc110c3b0f..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.cert.persistence.size}} - accessModes: - - {{ .Values.cert.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.cert.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.cert.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml deleted file mode 100644 index 006d736b63..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.cert.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-cert - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.cert.persistence.annotations }} - annotations: -{{ toYaml .Values.cert.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.cert.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.cert.persistence.size }} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml index ece5a439a3..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,35 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }}s - - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName | default "http" }}} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }}s - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index 1db5af98d0..a55565676c 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -18,7 +18,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName @@ -32,35 +31,12 @@ global: clusterName: cassandra dataCenter: Pod -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-onboarding-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.12.0 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.0 +image: onap/sdc-onboard-backend:1.13.6 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.13.6 pullPolicy: Always # flag to enable debugging - application support required @@ -109,12 +85,15 @@ startup: service: type: ClusterIP name: sdc-onboarding-be - portName: http - internalPort: 8445 - externalPort: 8445 + internalPort: 8081 + ports: + - name: http + port: 8081 - internalPort2: 8081 - externalPort2: 8081 +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read ## Persist data to a persitent volume persistence: @@ -139,17 +118,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: /sdc/sdc-cs/CS -##Certificate storage persistence -##This is temporary solution for SDC-1980 -cert: - certDir: /app/jetty/cert - persistence: - enabled: true - size: 10Mi - accessMode: ReadWriteOnce - volumeReclaimPolicy: Retain - mountSubPath: /sdc/onbaording/cert - securityContext: fsGroup: 35953 runAsUser: 352070 @@ -163,18 +131,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1.5Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1.5Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "3Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml index 51e84a690e..8a1a8b34b9 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml @@ -17,15 +17,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer backend name: sdc-wfd-be -version: 12.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index a187e19a75..59ebb02675 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{- if .Values.initJob.enabled }} - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} @@ -45,7 +34,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.fullname" . }}-workflow-init + - {{ include "common.fullname" . }} env: - name: NAMESPACE valueFrom: @@ -54,38 +43,23 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" {{ end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export SERVER_SSL_KEY_PASSWORD=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export SERVER_SSL_TRUST_PASSWORD=$cadi_truststore_password - export SERVER_SSL_KEYSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} - export SERVER_SSL_TRUSTSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -93,14 +67,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -128,28 +102,16 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_truststore_password} - name: SDC_PROTOCOL - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}" + value: "HTTP" - name: SDC_ENDPOINT - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdcEndpoint.https .Values.config.sdcEndpoint.http }}" + value: "{{ .Values.config.sdcEndpoint.http }}" - name: SDC_USER value: "{{ .Values.config.sdcExternalUser }}" - name: SDC_PASSWORD valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: wf_external_user_password} - {{- if (include "common.needTLS" .) }} - - name: SERVER_SSL_ENABLED - value: "true" - - name: SERVER_SSL_KEYSTORE_TYPE - value: "{{ .Values.config.serverSSLKeyStoreType }}" - - name: SERVER_SSL_TRUSTSTORE_TYPE - value: "{{ .Values.config.serverSSLTrustStoreType }}" - {{- else }} - name: SERVER_SSL_ENABLED value: "false" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} resources: {{ include "common.resources" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml index 171442dfdc..e9e5fcf1d1 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{include "common.ingress" .}} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index 2e5826d229..5b6762b78f 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -18,14 +18,7 @@ {{ if .Values.initJob.enabled }} apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-workflow-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -43,7 +36,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra + - {{ include "common.release" . }}-sdc-cs - "-t" - "20" env: @@ -54,11 +47,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: @@ -72,6 +65,9 @@ spec: - /bin/sh - -c {{- end }} + volumeMounts: + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: CS_HOST value: "{{ .Values.global.sdc_cassandra.serviceName }}" @@ -83,8 +79,12 @@ spec: valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}} - name: CS_PASSWORD valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml index 2f4129b03f..895eac1794 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,28 +17,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 8e4916901b..cc85176748 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -18,7 +18,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: # This flag allows SDC to instantiate its own cluster, serviceName # should be sdc-cs if this flag is enabled @@ -32,35 +31,12 @@ global: clusterName: cassandra dataCenter: Pod -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-backend:1.11.1 -configInitImage: onap/sdc-workflow-init:1.11.1 +image: onap/sdc-workflow-backend:1.12.0 +configInitImage: onap/sdc-workflow-init:1.12.0 pullPolicy: Always initJob: @@ -71,7 +47,6 @@ config: cassandraAuthenticationEnabled: true cassandraClientPort: 9042 sdcEndpoint: - https: sdc-be:8443 http: sdc-be:8080 sdcExternalUser: workflow serverSSLKeyStoreType: jks @@ -126,41 +101,47 @@ startup: service: type: NodePort - portName: http internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + nodePort: "57" ingress: enabled: false service: - baseaddr: "sdc-wfd-be-api" name: "sdc-wfd-be" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-wfd-fe-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml index 1b17aa9e91..79ff34a906 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml @@ -17,15 +17,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer frontend name: sdc-wfd-fe -version: 12.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index d57309004d..ad031dabf9 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -16,32 +16,20 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: - - --container-name - - "sdc-wfd-be" + - --service-name + - sdc-wfd-be env: - name: NAMESPACE valueFrom: @@ -52,57 +40,20 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-move-cert - command: - - /bin/sh - args: - - -c - - | - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /sdc-certs/{{ .Values.certInitializer.keystoreFile }} - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /sdc-certs/{{ .Values.certInitializer.truststoreFile }} - cp {{ .Values.certInitializer.credsPath }}/mycreds.prop /sdc-certs/mycreds.prop - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-certs - mountPath: /sdc-certs - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' /sdc-certs/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - export KEYSTORE_PATH=/etc/{{ .Values.certInitializer.keystoreFile }} - export TRUSTSTORE_PATH=/etc/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -110,14 +61,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -128,28 +79,9 @@ spec: - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} - name: BACKEND - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.backendServerURL.https .Values.config.backendServerURL.http }}" + value: "{{ .Values.config.backendServerURL.http }}" - name: IS_HTTPS - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}" - {{- if and (include "common.needTLS" .) (eq .Values.security.isDefaultStore false) }} - - name: TRUST_ALL - value: "{{ .Values.config.isTrustAll}}" - {{- end }} - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - mountPath: /sdc-certs/mycreds.prop - subPath: mycreds.prop - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.keystoreFile }} - subPath: {{ .Values.certInitializer.keystoreFile }} - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.truststoreFile }} - subPath: {{ .Values.certInitializer.truststoreFile }} - {{ end }} + value: "false" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -162,17 +94,8 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - emptyDir: - medium: "Memory" - {{- end }} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml index 08feb5a6ed..f6b302776c 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 ZTE # Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "wf-gui", - "version": "v1", - "url": "/", - "protocol": "UI", - "port": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index 37fdfd7993..e33cf4827d 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -18,36 +18,12 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-frontend:1.11.1 +image: onap/sdc-workflow-frontend:1.12.0 pullPolicy: Always # flag to enable debugging - application support required @@ -56,7 +32,6 @@ debugEnabled: false config: javaOptions: "-Xmx256m -Xms256m" backendServerURL: - https: "https://sdc-wfd-be:8443" http: "http://sdc-wfd-be:8080" # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties isTrustAll: true @@ -101,26 +76,37 @@ startup: service: type: NodePort internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - portName: sdc-wfd-fe - nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + port_protocol: http + nodePort: '56' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "wf-gui", + "version": "v1", + "url": "/", + "protocol": "UI", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0|1" + } + ]{{ end }} ingress: enabled: false service: - baseaddr: "sdc-wfd-fe-ui" name: "sdc-wfd-fe" - port: 8443 - plain_port: 8080 - annotations: - ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/rewrite-target: "/workflows/" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-fe-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) @@ -128,18 +114,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc new file mode 100644 index 0000000000..cb6df94880 --- /dev/null +++ b/kubernetes/sdc/resources/config/cqlshrc @@ -0,0 +1,2 @@ +[cql] +version={{.Values.global.sdc_cassandra.cqlVersion}} \ No newline at end of file diff --git a/kubernetes/sdc/resources/config/environments/AUTO.json b/kubernetes/sdc/resources/config/environments/AUTO.json index aee666f4af..59cb8655b9 100755 --- a/kubernetes/sdc/resources/config/environments/AUTO.json +++ b/kubernetes/sdc/resources/config/environments/AUTO.json @@ -8,7 +8,7 @@ "chef_type": "environment", "default_attributes": { - "disableHttp": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "disableHttp": false, "CS_VIP": "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}", "BE_VIP": "sdc-be.{{include "common.namespace" .}}", "ONBOARDING_BE_VIP": "sdc-onboarding-be.{{include "common.namespace" .}}", @@ -19,7 +19,11 @@ }, "ECompP": { "ecomp_rest_url": "https://portal-app.{{include "common.namespace" .}}:8443/ONAPPORTAL/auxapi", + {{- if .Values.global.kafka.useKafka }} + "ueb_url_list": "no-message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- else }} "ueb_url_list": "message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- end }} "app_secret": "XftIATw9Jr3VzAcPqt3NnJOu", "app_key": "x9UfO7JsDn8BESVX", "inbox_name": "ECOMP-PORTAL-INBOX", @@ -31,17 +35,24 @@ "PublicKey": "iPIxkpAMI8qTcQj8", "SecretKey": "Ehq3WyT4bkif4zwgEbvshGal", "fqdn": [ + {{- if .Values.global.kafka.useKafka }} + "no-message-router.{{include "common.namespace" .}}", + "no-message-router.{{include "common.namespace" .}}" + {{- else }} "message-router.{{include "common.namespace" .}}", "message-router.{{include "common.namespace" .}}" + {{- end }} ] }, "Kafka": { - "bootstrap": "{{ include "common.release" . }}-{{ .Values.global.kafka.kafkaBootstrap }}" + "bootstrap": "{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092" }, + {{- if .Values.global.kafka.useKafka }} "DistributionTopics": { "notificationTopicName": "{{ .Values.global.kafka.topics.sdcDistNotifTopic }}", "statusTopicName": "{{ .Values.global.kafka.topics.sdcDistStatusTopic }}" }, + {{- end }} "Nodes": { "CS": [ "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}" @@ -119,13 +130,6 @@ "username": "user1@sdc.com", "password": "password==" } - {{- if .Values.global.aafEnabled }} - }, - "jetty": { - "keystore_pwd": "${KEYSTORE_PASS}", - "truststore_pwd": "${TRUSTSTORE_PASS}", - "keymanager_pwd": "${KEYMANAGER_PASS}" - {{- end }} } } } diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml index 712f2ecc61..dee73ba711 100644 --- a/kubernetes/sdc/templates/configmap.yaml +++ b/kubernetes/sdc/templates/configmap.yaml @@ -28,4 +28,17 @@ metadata: data: {{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-cqlshrc + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }} +--- {{ include "common.log.configMap" . }} diff --git a/kubernetes/sdc/templates/kafkatopic.yaml b/kubernetes/sdc/templates/kafkatopic.yaml new file mode 100644 index 0000000000..53352c4e56 --- /dev/null +++ b/kubernetes/sdc/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkatopic" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index 60a361eae6..9cfae6ac66 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -25,36 +25,51 @@ global: truststore_password: eitLRWo7dCssS05eaWltU2lTODllI3Aw keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== - aafEnabled: true sdc_cassandra: - #This flag allows SDC to instantiate its own cluster, serviceName - #should be "sdc-cs" if this flag is enabled - localCluster: false - #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra - #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled - #to match with its own cluster replica - #see "cassandra: replicaCount" in file sdc-cs/values.yaml) - replicaCount: 3 - dbCache: true - readConsistencyLevel: ONE - writeConsistencyLevel: ALL - clusterName: cassandra - dataCenter: Pod + #This flag allows SDC to instantiate its own cluster, serviceName + #should be "sdc-cs" if this flag is enabled + localCluster: false + #The cassandra service name to connect to (default: shared cassandra service) + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled + #to match with its own cluster replica + #see "cassandra: replicaCount" in file sdc-cs/values.yaml) + replicaCount: 3 + dbCache: true + readConsistencyLevel: ONE + writeConsistencyLevel: ALL + clusterName: cassandra + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" + centralizedLoggingEnabled: true - # Kafka config + # global Kafka config passed to sdc-be chart kafka: + # If true, the following Strimzi KafkaTopics will be created useKafka: true - sdcBeKafkaUser: sdc-be-kafka-user - kafkaBootstrap: strimzi-kafka-bootstrap:9092 topics: - sdcDistNotifTopic: SDC-DISTR-NOTIF-TOPIC - sdcDistStatusTopic: SDC-DISTR-STATUS-TOPIC + sdcDistNotifTopic: ¬if-topic-name SDC-DISTR-NOTIF-TOPIC + sdcDistStatusTopic: &status-topic-name SDC-DISTR-STATUS-TOPIC + +# Environment file +env: + name: &env AUTO + +kafkaTopic: + - name: *notif-topic-name + suffix: *env + - name: *status-topic-name + suffix: *env sdc-be: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafka.sdcBeKafkaUser }}' sdc-fe: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' sdc-onboarding-be: @@ -62,10 +77,6 @@ sdc-onboarding-be: sdc-wfd-fe: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' -# Environment file -env: - name: AUTO - config: logstashServiceName: log-ls logstashPort: 5044 diff --git a/kubernetes/sdnc/Chart.yaml b/kubernetes/sdnc/Chart.yaml index a3f07ebeb5..f98bc4e12d 100644 --- a/kubernetes/sdnc/Chart.yaml +++ b/kubernetes/sdnc/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,61 +18,61 @@ apiVersion: v2 description: SDN Controller name: sdnc -version: 12.0.0 +version: 13.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: logConfiguration - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: network-name-gen - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: network-name-gen.enabled - name: dgbuilder - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dgbuilder.enabled - name: sdnc-prom - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: config.geoEnabled - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: elasticsearch - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: config.sdnr.enabled + condition: sdnc.elasticsearch.enabled,elasticsearch.enabled # conditions for sdnc-subcharts - name: dmaap-listener - version: ~12.x-0 - repository: 'file://components/dmaap-listener/' + version: ~13.x-0 + repository: '@local' condition: sdnc.dmaap-listener.enabled,dmaap-listener.enabled - name: ueb-listener - version: ~12.x-0 - repository: 'file://components/ueb-listener/' + version: ~13.x-0 + repository: '@local' condition: sdnc.ueb-listener.enabled,ueb-listener.enabled - name: sdnc-ansible-server - version: ~12.x-0 - repository: 'file://components/sdnc-ansible-server/' + version: ~13.x-0 + repository: '@local' condition: sdnc.sdnc-ansible-server.enabled,sdnc-ansible-server.enabled - name: sdnc-web - version: ~12.x-0 - repository: 'file://components/sdnc-web/' + version: ~13.x-0 + repository: '@local' condition: sdnc.sdnc-web.enabled,sdnc-web.enabled - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aaf/components/aaf-fs/.helmignore b/kubernetes/sdnc/components/dgbuilder/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-fs/.helmignore rename to kubernetes/sdnc/components/dgbuilder/.helmignore diff --git a/kubernetes/sdnc/components/dgbuilder/Chart.yaml b/kubernetes/sdnc/components/dgbuilder/Chart.yaml new file mode 100644 index 0000000000..ff32f4e8a2 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: D.G. Builder application +name: dgbuilder +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js new file mode 100644 index 0000000000..abaab57254 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js @@ -0,0 +1,58 @@ +/* Copyright © 2017 AT&T, Amdocs, Bell Canada +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +module.exports={ + "name": "Release sdnc1.0", + "emailAddress": "dguser@onap.org", + "uiPort": 3100, + "mqttReconnectTime": 15000, + "serialReconnectTime": 15000, + "debugMaxLength": 1000, + "htmlPath": "releases/sdnc1.0/html/", + "xmlPath": "releases/sdnc1.0/xml/", + "flowFile": "releases/sdnc1.0/flows/flows.json", + "sharedDir": "releases/sdnc1.0/flows/shared", + "userDir": "releases/sdnc1.0", + "httpAuth": { + "user": "${HTTP_USER}", + "pass": "${HTTP_PASSWORD}" + }, + "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", + "dbPort": "3306", + "dbName": "{{.Values.config.db.dbName}}", + "dbUser": "${DB_USER}", + "dbPassword": "${DB_PASSWORD}", + "gitLocalRepository": "", + "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", + "restConfUser": "${REST_CONF_USER}", + "restConfPassword": "${REST_CONF_PASSWORD}", + "formatXML": "Y", + "formatJSON": "Y", + "httpRoot": "/", + "disableEditor": false, + "httpAdminRoot": "/", + "httpAdminAuth": { + "user": "${HTTP_ADMIN_USER}", + "pass": "${HTTP_ADMIN_PASSWORD}" + }, + "httpNodeRoot": "/", + "httpNodeAuth": { + "user": "${HTTP_NODE_USER}", + "pass": "${HTTP_NODE_PASSWORD}" + }, + "uiHost": "0.0.0.0", + "version": "0.9.1", + "performGitPull": "N" +} diff --git a/kubernetes/common/dgbuilder/resources/config/svclogic.properties b/kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties similarity index 100% rename from kubernetes/common/dgbuilder/resources/config/svclogic.properties rename to kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties diff --git a/kubernetes/common/dgbuilder/templates/NOTES.txt b/kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt similarity index 100% rename from kubernetes/common/dgbuilder/templates/NOTES.txt rename to kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/configmap.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml new file mode 100644 index 0000000000..a89941d3d7 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml @@ -0,0 +1,127 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} + - name: HTTP_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} + - name: HTTP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} + - name: HTTP_ADMIN_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} + - name: HTTP_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} + - name: HTTP_NODE_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} + - name: HTTP_NODE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} + - name: REST_CONF_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: REST_CONF_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: + - /app/ready.py + args: + - --service-name + - {{ .Values.config.dbServiceName }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/bash"] + args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] + ports: {{- include "common.containerPorts" . | indent 10 }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SDNC_CONFIG_DIR + value: /opt/onap/sdnc/data/properties + volumeMounts: + - name: config + mountPath: /opt/app/application.properties + subPath: application.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js + subPath: customSettings.js + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config-input + configMap: + name: {{ include "common.fullname" . }}-config + - name: config + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/dgbuilder/templates/ingress.yaml b/kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/ingress.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/secrets.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/service.yaml b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml new file mode 100644 index 0000000000..53f04104d9 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dgbuilder/values.yaml b/kubernetes/sdnc/components/dgbuilder/values.yaml new file mode 100644 index 0000000000..68cb86bd7e --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/values.yaml @@ -0,0 +1,180 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: Always + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.db.rootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: 'http-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' + login: '{{ .Values.config.httpUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' + login: '{{ .Values.config.adminUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'node-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' + login: '{{ .Values.config.nodeUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'restconf-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-dgbuilder-image:1.5.1 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + db: + dbName: sdnctl + # unused for now to preserve the API + rootPassword: openECOMP1.0 + # rootPasswordExternalSecret: some secret + userName: sdnctl + # unused for now to preserve the API + userPassword: gamma + # userCredentialsExternalSecret: some secret + httpUser: dguser + # unused for now to preserve the API + httpPassword: cc03e747a6afbbcbf8be7668acfebee5 + # httpCredsExternalSecret: some secret + adminUser: dguser + # unused for now to preserve the API + adminPassword: cc03e747a6afbbcbf8be7668acfebee5 + # adminCredsExternalSecret: some secret + nodeUser: dguser + # unused for now to preserve the API + nodePassword: cc03e747a6afbbcbf8be7668acfebee5 + # nodeCredsExternalSecret: some secret + restconfUser: admin + # unused for now to preserve the API + restconfPassword: admin + # restconfCredsExternalSecret: some secret + + dbPodName: mysql-db + dbServiceName: sdnc-dbhost + # MD5 hash of dguser password ( default: test123 ) + dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: NodePort + name: dgbuilder + internalPort: 3100 + ports: + - name: http + port: 3100 + nodePort: 28 + +ingress: + enabled: false + service: + - baseaddr: "dgbuilder" + name: "dgbuilder" + port: 3100 + config: + ssl: "redirect" + +#Resource Limit flavor -By Default using small +flavor: small +#segregation for different envionment (Small and Large) + +resources: + small: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + large: + limits: + cpu: "4" + memory: "8Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml b/kubernetes/sdnc/components/dmaap-listener/Chart.yaml index 451e73ad42..0fdddec268 100644 --- a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: SDNC DMaaP Listener name: dmaap-listener -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml index b788a36248..110001a6a6 100644 --- a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -53,11 +50,11 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} - - --container-name + - --service-name - {{ .Values.config.msgRouterContainerName }} env: - name: NAMESPACE @@ -68,6 +65,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - command: - /opt/onap/sdnc/dmaap-listener/bin/start-dmaap-listener.sh @@ -82,9 +86,6 @@ spec: - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties @@ -110,6 +111,7 @@ spec: name: properties subPath: dmaap-consumer-RANSlice.properties resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -118,9 +120,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -128,5 +127,4 @@ spec: - name: properties emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml index 728ba05046..77b0d878c1 100644 --- a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml @@ -14,17 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml index 4273a31c53..084afa18cb 100644 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -49,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-dmaap-listener-image:2.4.1 +image: onap/sdnc-dmaap-listener-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -81,6 +83,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: dmaap-listener/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -105,7 +110,17 @@ ingress: enabled: false service: + type: ClusterIP name: sdnc-dmaap-listener + internalPort: 80 + ports: + - name: http + port: 80 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read #Resource limit flavor -By default using small flavor: small @@ -114,18 +129,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/network-name-gen/Chart.yaml b/kubernetes/sdnc/components/network-name-gen/Chart.yaml new file mode 100644 index 0000000000..e998a64ecc --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Name Generation Micro Service +name: network-name-gen +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: mariadb-init + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/resources/config/aai_keystore b/kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore similarity index 100% rename from kubernetes/common/network-name-gen/resources/config/aai_keystore rename to kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore diff --git a/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml new file mode 100644 index 0000000000..e1fcd235c5 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml @@ -0,0 +1,120 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - name: {{ include "common.name" . }}-readiness + command: + - /app/ready.py + args: +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ include "common.mariadbService" . }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - bash + args: + - '-c' + - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: SPRING_PROFILE + value: "{{ .Values.config.springProfile }}" + - name: NENG_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} + - name: NENG_DB_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} + - name: NENG_DB_URL + value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-init" "config" "mysqlDatabase" }} + - name: POL_CLIENT_AUTH + value: "{{ .Values.config.polClientAuth }}" + - name: POL_BASIC_AUTH_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} + - name: POL_BASIC_AUTH_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} + - name: POL_URL + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.polUrl.https }}" + {{- else }} + value: "{{ .Values.config.polUrl.http }}" + {{- end }} + - name: POL_ENV + value: "{{ .Values.config.polEnv }}" + - name: POL_REQ_ID + value: "{{ .Values.config.polReqId }}" + - name: AAI_CERT_PASS + value: "{{ .Values.config.aaiCertPass }}" + - name: AAI_CERT_PATH + value: "{{ .Values.config.aaiCertPath }}" + - name: AAI_URI + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.aaiUri.https }}" + {{- else }} + value: "{{ .Values.config.aaiUri.http }}" + {{- end }} + - name: AAI_AUTH + value: "{{ .Values.config.aaiAuth }}" + - name: DISABLE_HOST_VERIFICATION + value: "{{ .Values.config.disableHostVerification }}" + volumeMounts: + - name: certs + mountPath: /opt/etc/config/aai_keystore + subPath: aai_keystore + readOnly: true + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: certs + secret: + secretName: {{ include "common.release" . }}-aai-keystore + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/network-name-gen/templates/secrets.yaml b/kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml similarity index 100% rename from kubernetes/common/network-name-gen/templates/secrets.yaml rename to kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/network-name-gen/templates/service.yaml b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml new file mode 100644 index 0000000000..aac71f7eb3 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml @@ -0,0 +1,43 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + diff --git a/kubernetes/sdnc/components/network-name-gen/values.yaml b/kubernetes/sdnc/components/network-name-gen/values.yaml new file mode 100644 index 0000000000..9d6a0aef5c --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/values.yaml @@ -0,0 +1,136 @@ +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: IfNotPresent + + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: &dbService mariadb-galera + internalPort: &dbPort 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: neng-db-secret + name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: pol-basic-auth-secret + name: '{{ include "common.release" . }}-pol-basic-auth-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' + login: '{{ .Values.config.polBasicAuthUser }}' + password: '{{ .Values.config.polBasicAuthPassword }}' + +mariadb-init: + config: + userCredentialsExternalSecret: *dbUserSecretName + mysqlDatabase: nengdb + nameOverride: nengdb-init + mariadb-galera: + nameOverride: *dbService + service: + internalPort: *dbPort + serviceAccount: + nameOverride: nengdb-init + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-apps-ms-neng:1.4.0 +pullPolicy: IfNotPresent + +# application configuration +config: + db: + userName: nenguser + # userPassword: password + # userCredentialsExternalSecret: some-secret + springProfile: live + polClientAuth: cHl0aG9uOnRlc3Q= + polBasicAuthUser: healthcheck + polBasicAuthPassword: zb!XztG34 + polUrl: + https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision + http: http://policy-xacml-pdp:6969/policy/pdpx/v1/decision + polEnv: TEST + polReqId: xx + disableHostVerification: true + aaiCertPass: changeit + aaiCertPath: /opt/etc/config/aai_keystore + aaiAuth: QUFJOkFBSQ== + aaiUri: + https: https://aai:8443/aai/v14/ + http: http://aai:80/aai/v14/ + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: false + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: neng-serv + portName: http + internalPort: 8080 + externalPort: 8080 + +ingress: + enabled: false + +resources: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: network-name-gen + roles: + - read diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml index 924d5e4e0a..e7342b10e0 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDN-C Ansible Server name: sdnc-ansible-server -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml index 51263cf410..f558b71125 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -53,7 +50,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -64,6 +61,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: ["/bin/bash"] @@ -71,8 +75,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -88,9 +91,6 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/RestServer_config name: config subPath: RestServer_config @@ -103,9 +103,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -113,5 +110,4 @@ spec: - name: config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml index 3543044eaf..fe45159c64 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml @@ -14,22 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index ee5d498f56..a1c90071b0 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -49,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ansible-server-image:2.4.1 +image: onap/sdnc-ansible-server-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -78,6 +80,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ansible-server/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -101,13 +106,18 @@ readiness: service: type: ClusterIP name: sdnc-ansible-server - portName: http internalPort: 8000 - externalPort: 8000 + ports: + - name: http + port: 8000 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource Limit flavor -By default using small flavor: small @@ -116,18 +126,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml index 65382edcc5..85bfb265b1 100644 --- a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP SDNC Policy Driven Ownership Management name: sdnc-prom -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml index 803434cf09..7562a97929 100644 --- a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: 1 selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -30,9 +27,9 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - sdnc - - --container-name + - --service-name - consul env: - name: NAMESPACE @@ -43,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -53,9 +57,6 @@ spec: workingDir: "/app" command: [ "bin/prom.sh" ] volumeMounts: - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: prom-config mountPath: /app/config - name: prom-scripts @@ -71,9 +72,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: prom-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -88,5 +86,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-prom/values.yaml b/kubernetes/sdnc/components/sdnc-prom/values.yaml index eb11d646b3..e52bc24a2d 100644 --- a/kubernetes/sdnc/components/sdnc-prom/values.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/values.yaml @@ -93,7 +93,22 @@ persistence: ingress: enabled: false -resources: {} +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} #Pods Service Account serviceAccount: diff --git a/kubernetes/sdnc/components/sdnc-web/Chart.yaml b/kubernetes/sdnc/components/sdnc-web/Chart.yaml index 43c53c6ea5..db331e19f5 100644 --- a/kubernetes/sdnc/components/sdnc-web/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-web/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: SDN-C Web Server name: sdnc-web -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml index 03432d3b63..90632820e7 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml @@ -23,14 +23,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | indent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -38,6 +38,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} @@ -49,34 +56,26 @@ spec: {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - name: WEBPROTOCOL - value: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webProtocol .Values.config.webPlainProtocol }} + value: {{ .Values.config.webProtocol }} - name: WEBPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webPort .Values.config.webPlainPort | quote }} + value : {{ .Values.config.webPort | quote }} - name: SDNRPROTOCOL - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrProtocol .Values.config.sdnrPlainProtocol }} + value : {{ .Values.config.sdnrProtocol }} - name: SDNRHOST - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrHost .Values.config.sdnrPlainHost }}.{{ include "common.namespace" . }} + value : {{ .Values.config.sdnrHost }}.{{ include "common.namespace" . }} - name: SDNRPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrPort .Values.config.sdnrPlainPort | quote }} - {{ if (include "common.needTLS" .) }} - - name: SSL_CERT_DIR - value: {{ .Values.config.sslCertDir }} - - name: SSL_CERTIFICATE - value: {{ .Values.config.sslCertiticate }} - - name: SSL_CERTIFICATE_KEY - value: {{ .Values.config.sslCertKey }} - {{ end }} + value : {{ .Values.config.sdnrPort | quote }} {{ if .Values.config.transportpce.enabled }} - name: TRPCEURL value: {{ .Values.config.transportpce.transportpceUrl }} @@ -91,11 +90,8 @@ spec: value: "{{ .Values.config.oauth.enabled | default "false" }}" - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - + - name: SDNRWEBSOCKETPORT + value: "{{ .Values.sdnrWebsocketPort | default "8182" }}" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -104,10 +100,4 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml index 216073eee6..b4b437ccfe 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml @@ -13,5 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- include "common.service" . -}} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 979698ffef..98e44d02ab 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -16,31 +16,22 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 322 - k8scluster: svc.cluster.local + ################################################################# # Application configuration defaults. ################################################################# # application image -image: "onap/sdnc-web-image:2.4.1" +image: "onap/sdnc-web-image:2.5.5" pullPolicy: Always config: sdncChartName: sdnc - webProtocol: HTTPS - webPlainProtocol: HTTP - webPort: 8443 - webPlainPort: 8080 - sdnrProtocol: https - sdnrPlainProtocol: http + webProtocol: HTTP + webPort: 8080 + sdnrProtocol: http sdnrHost: "sdnc" - sdnrPlainHost: "sdnc" - sdnrPort: "8443" - sdnrPlainPort : "8080" - sslCertDir: "/opt/app/osaaf/local/certs" - sslCertiticate: "cert.pem" - sslCertKey: "key.pem" + sdnrPort: "8282" oauth: enabled: false odluxRbac: @@ -53,30 +44,6 @@ config: topologyserverUrl: http://toplogy-api-service.topology:3001 tileserverUrl: https://tile.openstreetmap.org - -################################################################# -# aaf configuration defaults. -################################################################# -certInitializer: - nameOverride: sdnc-web-cert-initializer - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: "org.onap.sdnc" - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - cd /opt/app/osaaf/local - mkdir -p certs - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12 - cp {{ .Values.fqi_namespace }}.key certs/key.pem - chmod -R 755 certs - # default number of instances replicaCount: 1 @@ -98,22 +65,27 @@ readiness: service: name: sdnc-web - suffix: service type: NodePort - sessionAffinity: ClientIP # for liveness and readiness probe only # internalPort: - internalPort: 8443 - internalPlainPort: 8080 + internalPort: 8080 ports: - - name: http-sdnc-web - port: "8443" - plain_port: "8080" - port_protocol: http + - name: http + port: "8080" nodePort: "05" -#ingress: -# enabled: false +ingress: + enabled: false + service: + - baseaddr: "sdnc-web-ui" + name: "sdnc-web" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress #Resource limit flavor -By default using small flavor: small @@ -121,18 +93,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/ueb-listener/Chart.yaml b/kubernetes/sdnc/components/ueb-listener/Chart.yaml index d30c30e8db..a7dff1364b 100644 --- a/kubernetes/sdnc/components/ueb-listener/Chart.yaml +++ b/kubernetes/sdnc/components/ueb-listener/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDNC UEB Listener name: ueb-listener -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml new file mode 100644 index 0000000000..d0c1f718b5 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml @@ -0,0 +1,25 @@ + + + + $${env:LOGDIR:-logs} + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties index 45a80af8a6..e27ef36bee 100644 --- a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties @@ -1,11 +1,9 @@ -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8443 -{{- else }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8080 +org.onap.ccsdk.sli.northbound.uebclient.sdc-address=sdc-be.{{.Release.Namespace}}:8080 org.onap.ccsdk.sli.northbound.uebclient.use-https=false +{{- with (first .Values.kafkaUser.acls) }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-group={{ .name }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-id={{ .name }}-sdc-listener {{- end }} -org.onap.ccsdk.sli.northbound.uebclient.consumer-group=sdc-OpenSource-Env1-sdnc-dockero -org.onap.ccsdk.sli.northbound.uebclient.consumer-id=sdc-COpenSource-Env11-sdnc-dockero org.onap.ccsdk.sli.northbound.uebclient.environment-name=AUTO org.onap.ccsdk.sli.northbound.uebclient.password=${UEB_PASSWORD} org.onap.ccsdk.sli.northbound.uebclient.user=${UEB_USER} @@ -24,4 +22,3 @@ org.onap.ccsdk.sli.northbound.uebclient.keystore-path= org.onap.ccsdk.sli.northbound.uebclient.keystore-password= org.onap.ccsdk.sli.northbound.uebclient.xslt-path-list=/opt/onap/sdnc/ueb-listener/lib/normalizeTagNames.xslt,/opt/onap/sdnc/ueb-listener/lib/removeNs.xslt org.onap.ccsdk.sli.northbound.uebclient.artifact-map=/opt/onap/sdnc/data/properties/artifact.map -org.onap.ccsdk.sli.northbound.uebclient.msg-bus-address=message-router.{{.Release.Namespace}},message-router.{{.Release.Namespace}} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml index a23a6af460..1a6efe4c41 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -56,14 +53,12 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} - - --container-name + - --service-name - {{ .Values.config.sdcbeChartName }} - - --container-name - - {{ .Values.config.msgRouterContainerName }} env: - name: NAMESPACE valueFrom: @@ -73,6 +68,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - command: - /opt/onap/sdnc/ueb-listener/bin/start-ueb-listener.sh @@ -86,17 +88,23 @@ spec: value: "{{ .Values.config.configDir }}" - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties - mountPath: {{ .Values.config.configDir }}/ueb-listener.properties name: properties subPath: ueb-listener.properties + - mountPath: {{ .Values.config.configDir }}/log4j2.xml + name: properties + subPath: log4j2.xml resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -105,9 +113,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -115,5 +120,4 @@ spec: - name: properties emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml index 728ba05046..77b0d878c1 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml @@ -14,17 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index 7c85f39fcc..bccb1d7af6 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -55,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ueb-listener-image:2.4.1 +image: onap/sdnc-ueb-listener-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -92,6 +94,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ueb-listener/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -113,29 +118,49 @@ readiness: periodSeconds: 10 service: + type: ClusterIP name: sdnc-ueb-listener + internalPort: 80 + ports: + - name: http + port: 80 + +# Strimzi KafkaUser definition +kafkaUser: + acls: + - name: sdnc + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource limit flavor -By default using small flavor: small #Segregation for different environment (small and large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh new file mode 100644 index 0000000000..28c703b1bd --- /dev/null +++ b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +### +# ============LICENSE_START======================================================= +# ONAP : SDN-C +# ================================================================================ +# Copyright (C) 2023 highstreet technologies Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +echo "Create '${SDNRDBDATABASE}' and user '${SDNRDBUSERNAME}' within maria-galera database cluster" +root_user=root +mysql -v -v -u $root_user -p${MYSQL_ROOT_PASSWORD} -Bse "\ +CREATE DATABASE IF NOT EXISTS ${SDNRDBDATABASE}; \ +CREATE USER IF NOT EXISTS ${SDNRDBUSERNAME}@'%' IDENTIFIED BY '${SDNRDBPASSWORD}'; \ +GRANT ALL PRIVILEGES ON ${SDNRDBDATABASE}.* TO '${SDNRDBUSERNAME}'@'%'; \ +FLUSH PRIVILEGES; " + diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 5108a9d005..971a446d64 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -38,11 +38,7 @@ org.onap.ccsdk.sli.adaptors.aai.application=openECOMP # # Configuration file for A&AI Client # -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 -{{- else }} org.onap.ccsdk.sli.adaptors.aai.uri=http://aai.{{.Release.Namespace}}:80 -{{- end }} connection.timeout=60000 read.timeout=60000 diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties index 303e504aa9..9e5e25443f 100644 --- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties +++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties @@ -1,43 +1,43 @@ [general] -dmaapEnabled={{.Values.config.sdnr.mountpointRegistrarEnabled | default "false"}} -{{ if .Values.global.aafEnabled }} -baseUrl=https://localhost:{{.Values.service.internalPort4}} -{{- else }} -baseUrl=http://localhost:{{.Values.service.internalPort}} -{{- end }} +baseUrl=http://{{.Values.service.name}}.{{.Release.Namespace}}:{{.Values.service.externalPort}} sdnrUser=${ODL_ADMIN_USERNAME} sdnrPasswd=${ODL_ADMIN_PASSWORD} +[strimzi-kafka] +strimziEnabled=${SDNR_KAFKA_ENABLED} +bootstrapServers=${SDNR_KAFKA_BOOTSTRAP_SERVERS} +securityProtocol=${SDNR_KAFKA_SECURITY_PROTOCOL} +saslMechanism=${SDNR_KAFKA_SASL_MECHANISM} +saslJaasConfig=${SDNR_KAFKA_SASL_JASS_CONFIG} + [fault] -faultConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPFaultVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.SEC_FAULT_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[provisioning] +topic=unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 [pnfRegistration] -pnfRegConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPPNFRegVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.VES_PNFREG_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[stndDefinedFault] +topic=unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 diff --git a/kubernetes/sdnc/resources/env.yaml b/kubernetes/sdnc/resources/env.yaml index f02f8aef16..d1eec9b189 100644 --- a/kubernetes/sdnc/resources/env.yaml +++ b/kubernetes/sdnc/resources/env.yaml @@ -14,7 +14,7 @@ # limitations under the License. */}} -SDNC_AAF_ENABLED: "{{ .Values.global.aafEnabled }}" +SDNC_AAF_ENABLED: "false" SDNC_GEO_ENABLED: "{{ .Values.config.geoEnabled }}" SDNC_IS_PRIMARY_CLUSTER: "{{ .Values.config.isPrimaryCluster }}" SDNC_ODL_COUNT: "{{ .Values.replicaCount }}" diff --git a/kubernetes/sdnc/templates/authorizationpolicy.yaml b/kubernetes/sdnc/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..672ddf0b2f --- /dev/null +++ b/kubernetes/sdnc/templates/authorizationpolicy.yaml @@ -0,0 +1,61 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsSdnHosts := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsSdnHosts -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: sdnhost-{{ include "common.servicename" . }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: sdnhost-{{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsSdnHosts }} +{{- range $principal := $authorizedPrincipalsSdnHosts }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index b6dc32b096..ffd578f3f1 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -34,7 +34,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +75,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.mariadbService" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -159,10 +144,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -177,6 +160,5 @@ spec: emptyDir: medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- end -}} diff --git a/kubernetes/sdnc/templates/kafkauser.yaml b/kubernetes/sdnc/templates/kafkauser.yaml new file mode 100644 index 0000000000..48c4754db8 --- /dev/null +++ b/kubernetes/sdnc/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 highstreet technologies GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.config.sdnr.kafka.enabled }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index 665e16c9f8..1845f6cc9f 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -23,23 +23,21 @@ spec: metadata: {{ include "common.templateMetadata" . | indent 6}} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 }} - {{ if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }}"] - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - {{ end }} - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: + {{- if .Values.config.sdnr.mariadb.enabled }} + - --service-name + - {{ include "common.mariadbService" . }} + {{- else }} - --container-name - {{.Values.elasticsearch.nameOverride}}-elasticsearch - --container-name - {{.Values.elasticsearch.nameOverride}}-nginx - --container-name - {{.Values.elasticsearch.nameOverride}}-master + {{- end }} env: - name: NAMESPACE valueFrom: @@ -48,6 +46,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-sdnrdb-init-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -56,10 +61,13 @@ spec: args: - -c - | + {{- if .Values.config.sdnr.mariadb.enabled }} + "{{ .Values.config.binDir }}/createSdnrDb.sh"; + {{- end }} sleep 90; "{{ .Values.config.binDir }}/startODL.sh" env: - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_HOME value: "{{.Values.config.sdncHome}}" - name: ETC_DIR @@ -69,16 +77,34 @@ spec: ## start sdnrdb parameter - name: SDNRINIT value: "true" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRDBTYPE + value: MARIADB + - name: MYSQL_HOST + value: {{ include "common.mariadbService" . }} + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBDATABASE + value: "{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + {{- else }} - name: SDNRDBURL - {{ if .Values.global.aafEnabled -}} - value: "https://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- else -}} value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- end }} - name: SDNRDBPARAMETER value: "-k" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - resources: {{ include "common.resources" . | nindent 12 }} + {{- end }} + {{- if .Values.config.sdnr.mariadb.enabled }} + volumeMounts: + - mountPath: {{ .Values.config.binDir }}/createSdnrDb.sh + name: bin + subPath: createSdnrDb.sh + {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if include "common.onServiceMesh" . }} - name: sdnrdb-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} @@ -103,10 +129,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -117,9 +141,6 @@ spec: configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 -{{ include "common.certInitializer.volumes" . | nindent 6 }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} diff --git a/kubernetes/sdnc/templates/service.yaml b/kubernetes/sdnc/templates/service.yaml index 1fe4ee3ded..052cfe16ad 100644 --- a/kubernetes/sdnc/templates/service.yaml +++ b/kubernetes/sdnc/templates/service.yaml @@ -38,18 +38,18 @@ metadata: } ]' spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-restconf" - {{ if not .Values.global.aafEnabled }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - {{- else -}} - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - {{ end }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} + {{ end }} {{ if .Values.config.sdnr.enabled }} + - name: "{{ .Values.service.portName }}-sdnrwebsocket" + port: {{ .Values.service.sdnrWebsocketPort | default "8182" }} + targetPort: {{ .Values.service.sdnrWebsocketPort }} sessionAffinity: ClientIP {{ end }} selector: @@ -108,18 +108,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-0 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 spec: ports: - - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort4 }} - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort1 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 {{ end }} @@ -131,18 +130,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-1 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 spec: ports: - - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort5 }} - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort2 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 {{ end }} @@ -154,18 +152,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-2 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 spec: ports: - - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort6 }} - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort3 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 {{ end }} @@ -183,12 +180,14 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-callhome" port: {{ .Values.service.callHomePort }} targetPort: {{ .Values.service.callHomePort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }} + {{ end }} selector: app.kubernetes.io/name: {{ include "common.name" . }} app.kubernetes.io/instance: {{ include "common.release" . }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index d252c9a3fb..666a8ada12 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -20,13 +20,10 @@ apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }}-cluster - replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }}-cluster podManagementPolicy: Parallel + replicas: {{ .Values.replicaCount }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -105,22 +102,29 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - name: ODL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - {{ if and .Values.config.sdnr.dmaapProxy.enabled .Values.config.sdnr.dmaapProxy.usepwd }} - - name: DMAAP_HTTP_PROXY_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "login") | indent 10 }} - - name: DMAAP_HTTP_PROXY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }} - {{- end }} {{ if .Values.config.sdnr.oauth.enabled }} - name: OAUTH_TOKEN_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }} - name: KEYCLOAK_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }} - - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}" {{ end }} - + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "SASL_PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "SCRAM-SHA-512" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{ end }} volumeMounts: - mountPath: /config-input name: config-input @@ -134,7 +138,7 @@ spec: - /app/ready.py args: {{ if .Values.dgbuilder.enabled -}} - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - --job-name - {{ include "common.fullname" . }}-dbinit-job @@ -152,8 +156,14 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - {{ end -}} -{{ include "common.certInitializer.initContainer" . | indent 6 }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + {{ end }} - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: @@ -165,11 +175,7 @@ spec: mkdir {{ .Values.persistence.mdsalPath }}/snapshots mkdir {{ .Values.persistence.mdsalPath }}/daexim chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} -{{- if .Values.global.aafEnabled }} - chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }} -{{- end }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data containers: @@ -268,7 +274,7 @@ spec: - name: GEO_ENABLED value: "{{ .Values.config.geoEnabled}}" - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_REPLICAS value: "{{ .Values.replicaCount }}" - name: MYSQL_HOST @@ -297,13 +303,31 @@ spec: {{- end }} - name: SDNRONLY value: "{{ .Values.config.sdnr.sdnronly | default "false" }}" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRCONTROLLERID + value: {{ uuidv4 }} + - name: SDNRDBTYPE + value: MARIADB + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName}}" + - name: SDNR_DB_DATABASE + value: {{ .Values.config.sdnr.mariadb.databaseName }} + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + - name: SDNR_ASYNC_HANDLING + value: {{ .Values.config.sdnr.mariadb.asyncHandling | default "false" | quote }} + - name: SDNR_ASYNC_POOLSIZE + value: {{ .Values.config.sdnr.mariadb.asyncPoolSize | default 200 | quote }} + {{- else }} - name: SDNRDBURL - {{- $prefix := ternary "https" "http" .Values.global.aafEnabled}} - value: "{{$prefix}}://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" + value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" {{- if .Values.config.sdnr.sdnrdbTrustAllCerts }} - name: SDNRDBTRUSTALLCERTS value: "true" {{- end }} + {{- end }} {{- if .Values.global.cmpv2Enabled }} - name: ODL_CERT_DIR value: {{ (mustFirst (.Values.certificates)).mountPath }} @@ -332,15 +356,26 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "login") | indent 12 }} - name: SDNR_VES_COLLECTOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "password") | indent 12 }} + - name: SDNR_WEBSOCKET_PORT + value: "{{ .Values.sdnrWebsocketPort | default "8182"}}" + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "PLAIN" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + value: "{{ .Values.config.sdnr.kafka.saslJassConfig | default "PLAIN" }}" + {{ end }} + volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumeMounts" . | indent 10 }} {{- end }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/opendaylight/current/etc/org.ops4j.pax.logging.cfg name: sdnc-logging-cfg-config subPath: org.ops4j.pax.logging.cfg @@ -413,13 +448,9 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" . | nindent 8 }} @@ -441,7 +472,6 @@ spec: - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} -{{ include "common.certInitializer.volumes" . | nindent 8 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumes" . | nindent 8 }} {{- end }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 1fd5bf3363..dc5fe7469c 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -22,15 +22,19 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - aafEnabled: true centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false - service: mariadb-galera + service: &mariadbService mariadb-galera internalPort: 3306 - nameOverride: mariadb-galera + nameOverride: &mariadbName mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + ################################################################# # Secrets metaconfig @@ -45,13 +49,18 @@ secrets: # override this secret using external one with the same field that is used # to pass this to subchart. externalSecret: '{{ .Values.global.mariadbGalera.localCluster | - ternary ((hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | - ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)) - (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . - "chartName" .Values.global.mariadbGalera.nameOverride)) }}' + ternary (( hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret' @@ -72,14 +81,6 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required - - uid: dmaap-proxy-creds - name: &dmaapProxyCredsSecretName '{{ include "common.release" . }}-sdnc-dmaap-proxy-creds' - type: basicAuth - externalSecret: '{{ .Values.config.dmaapProxyCredsExternalSecret }}' - login: '{{ .Values.config.sdnr.dmaapProxy.user }}' - password: '{{ .Values.config.sdnr.dmaapProxy.password }}' - # For now this is left hardcoded but should be revisited in a future - passwordPolicy: required - uid: netbox-apikey type: password externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' @@ -185,6 +186,11 @@ secrets: type: basicAuth login: '{{ .Values.config.sdnr.vesCollector.username }}' password: '{{ .Values.config.sdnr.vesCollector.password }}' + - uid: sdnrdb-secret + name: &sdnrdbSecretName '{{ include "common.release" . }}-sdnc-sdnrdb-secret' + type: basicAuth + login: '{{ index .Values "config" "sdnr" "mariadb" "user" }}' + password: '{{ index .Values "config" "sdnr" "mariadb" "password" }}' ################################################################# # Certificates ################################################################# @@ -210,7 +216,7 @@ certificates: # application images pullPolicy: Always -image: onap/sdnc-image:2.4.1 +image: onap/sdnc-image:2.5.5 # flag to enable debugging - application support required debugEnabled: false @@ -324,18 +330,50 @@ config: # sdnronly: true starts sdnc container with odl and sdnrwt features only sdnronly: false sdnrdbTrustAllCerts: true - mountpointRegistrarEnabled: false + elasticsearch: + ## for legacy eleasticsearch database + enabled: &esdbenabled true + # enabled: &esdbenabled false + mariadb: + ## for legacy eleasticsearch database + enabled: false + # enabled: true + databaseName: sdnrdb + user: sdnrdb + externalSecret: *sdnrdbSecretName + asyncHandling: true + asyncPoolSize: 200 + kafka: + enabled: false + consumerGroupPrefix: &consumerGroupPrefix sdnr + # Strimzi KafkaUser config see configuration below + kafkaUser: &kafkaUser + acls: + - name: unauthenticated.SEC_ + type: topic + patternType: prefix + operations: [Read] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: *consumerGroupPrefix + type: group + patternType: prefix + operations: [Read] + ## set if bootstrap server is not OOM standard + # bootstrapServers: [] + ## set connection parameters if not default + # securityProtocol: PLAINTEXT + # saslMechanism: SCRAM-SHA-512 + ## saslJassConfig: provided by secret + + mountpointStateProviderEnabled: false netconfCallHome: enabled: true - # - # enable and set dmaap-proxy for mountpointRegistrar - dmaapProxy: - enabled: false - usepwd: true - user: addUserHere - password: addPasswordHere - url: addProxyUrlHere + + oauth: enabled: false tokenIssuer: ONAP SDNC @@ -366,31 +404,19 @@ config: username: sample1 password: sample1 address: dcae-ves-collector.onap - port: 8443 + port: 8080 version: v7 reportingEntityName: ONAP SDN-R eventLogMsgDetail: SHORT -# dependency / sub-chart configuration -certInitializer: - nameOverride: sdnc-cert-initializer - truststoreMountpath: /opt/onap/sdnc/data/stores - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "$cadi_keystore_password" > {{ .Values.credsPath }}/.pass 2>&1 +# Strimzi KafkaUser/Topic config on top level +kafkaUser: *kafkaUser + # dependency / sub-chart configuration network-name-gen: enabled: true + mariadb-galera: &mariadbGalera nameOverride: &sdnc-db sdnc-db config: &mariadbGaleraConfig @@ -400,15 +426,19 @@ mariadb-galera: &mariadbGalera rootUser: externalSecret: *rootDbSecret db: + name: *sdncDbName user: *dbUser externalSecret: *dbSecretName service: - name: sdnc-dbhost + name: sdnc-db sdnctlPrefix: sdnc persistence: mountSubPath: sdnc/mariadb-galera enabled: true replicaCount: 1 + mariadbOperator: + galera: + enabled: false serviceAccount: nameOverride: *sdnc-db @@ -460,8 +490,6 @@ sdnc-ansible-server: dgbuilder: enabled: true nameOverride: sdnc-dgbuilder - certInitializer: - nameOverride: sdnc-dgbuilder-cert-initializer config: db: dbName: *sdncDbName @@ -471,8 +499,8 @@ dgbuilder: (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" "mariadb-galera")) }}' userCredentialsExternalSecret: *dbSecretName - dbPodName: mariadb-galera - dbServiceName: mariadb-galera + dbPodName: *mariadbName + dbServiceName: *mariadbService # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 serviceAccount: @@ -480,18 +508,17 @@ dgbuilder: mariadb-galera: service: name: sdnc-dgbuilder - nodePort: "03" + ports: + - name: http + port: 3100 + nodePort: "03" ingress: enabled: false service: - baseaddr: "sdnc-dgbuilder-ui" name: "sdnc-dgbuilder" - port: 3000 - - baseaddr: "sdnc-web-service-api" - name: "sdnc-web-service" - port: 8443 - plain_port: 8080 + port: 3100 config: ssl: "redirect" @@ -500,12 +527,9 @@ dgbuilder: # local elasticsearch cluster localElasticCluster: true elasticsearch: + enabled: *esdbenabled nameOverride: &elasticSearchName sdnrdb name: sdnrdb-cluster - certInitializer: - fqdn: "sdnc" - fqi_namespace: org.onap.sdnc - fqi: "sdnc@sdnc.onap.org" service: name: *elasticSearchName master: @@ -521,6 +545,8 @@ elasticsearch: # enable sdnc-web: enabled: true + ## set if web socket port should not be default + # sdnrWebsocketPort: *sdnrWebsocketPort # default number of instances replicaCount: 1 @@ -547,7 +573,6 @@ service: internalPort: 8181 internalPort2: 8101 internalPort3: 8080 - internalPort4: 8443 #port externalPort: 8282 @@ -556,7 +581,6 @@ service: externalPort3: 8280 - externalPort4: 8443 nodePort4: 67 clusterPort: 2550 @@ -570,8 +594,12 @@ service: geoNodePort5: 65 geoNodePort6: 66 - callHomePort: 4334 + callHomePort: &chport 4334 callHomeNodePort: 66 + ## set if web socket port should not be default + ## change in sdnc-web section as well + # sdnrWebsocketPort: &sdnrWebsocketPort 8182 + ## Persist data to a persitent volume persistence: @@ -598,32 +626,41 @@ persistence: journalPath: /opt/opendaylight/segmented-journal snapshotsPath: /opt/opendaylight/snapshots -certpersistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 50Mi - mountPath: /dockerdata-nfs - mountSubPath: sdnc/certs - certPath: /opt/app/osaaf - ##storageClass: "manual" - ingress: enabled: false service: - - baseaddr: "sdnc-api" - name: "sdnc" - port: 8443 - plain_port: 8282 + - baseaddr: "sdnc-api" + name: "sdnc" + port: 8282 + - baseaddr: "sdnc-callhome" + name: "sdnc-callhome" + port: *chport + protocol: tcp + exposedPort: *chport + exposedProtocol: TCP config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: a1policymanagement-read + - serviceAccount: cds-blueprints-processor-read + - serviceAccount: consul-read + - serviceAccount: ncmp-dmi-plugin-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: robot-read + - serviceAccount: sdnc-ansible-server-read + - serviceAccount: sdnc-dmaap-listener-read + - serviceAccount: sdnc-prom-read + - serviceAccount: sdnc-ueb-listener-read + - serviceAccount: sdnc-web-read + - serviceAccount: so-sdnc-adapter-read + - serviceAccount: istio-ingress + namespace: istio-ingress + authorizedPrincipalsSdnHosts: + - serviceAccount: sdnc-read + #Resource Limit flavor -By Default using small flavor: small #segregation for different envionment (Small and Large) @@ -631,18 +668,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4.7Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "4.7Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "9.4Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "9.4Gi" unlimited: {} #Pods Service Account @@ -654,3 +691,8 @@ serviceAccount: #Log configuration log: path: /var/log/onap + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/sniro-emulator/.helmignore b/kubernetes/sniro-emulator/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/sniro-emulator/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/sniro-emulator/Chart.yaml b/kubernetes/sniro-emulator/Chart.yaml deleted file mode 100644 index dddacebcba..0000000000 --- a/kubernetes/sniro-emulator/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Mock Sniro Emulator -name: sniro-emulator -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/sniro-emulator/templates/NOTES.txt b/kubernetes/sniro-emulator/templates/NOTES.txt deleted file mode 100644 index c233cade6b..0000000000 --- a/kubernetes/sniro-emulator/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/sniro-emulator/templates/deployment.yaml b/kubernetes/sniro-emulator/templates/deployment.yaml deleted file mode 100644 index 0dff4eb7be..0000000000 --- a/kubernetes/sniro-emulator/templates/deployment.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sniro-emulator/templates/service.yaml b/kubernetes/sniro-emulator/templates/service.yaml deleted file mode 100644 index 9119071ab2..0000000000 --- a/kubernetes/sniro-emulator/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/sniro-emulator/values.yaml b/kubernetes/sniro-emulator/values.yaml deleted file mode 100644 index 8f43a4f46b..0000000000 --- a/kubernetes/sniro-emulator/values.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 302 - -# application image -image: onap/sniroemulator:1.0.0 -pullPolicy: IfNotPresent - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: sniro-emulator - internalPort: 9999 - externalPort: 80 - nodePort: 88 - portName: http - -ingress: - enabled: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi diff --git a/kubernetes/so/Chart.yaml b/kubernetes/so/Chart.yaml index b9c54d47ef..83419673fe 100755 --- a/kubernetes/so/Chart.yaml +++ b/kubernetes/so/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,92 +17,88 @@ apiVersion: v2 description: ONAP Service Orchestrator name: so -version: 12.0.0 +version: 13.0.2 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - condition: global.aafEnabled - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/soHelpers' - name: so-admin-cockpit - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-admin-cockpit' condition: so-admin-cockpit.enabled - - name: so-appc-orchestrator - version: ~12.x-0 - repository: 'file://components/so-appc-orchestrator' - condition: so-appc-orchestrator.enabled - name: so-bpmn-infra - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-bpmn-infra' - name: so-catalog-db-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-catalog-db-adapter' condition: so-catalog-db-adapter.enabled - name: so-cnf-adapter - version: ~12.x-0 + version: ~13.x-0 repository: "file://components/so-cnf-adapter" condition: so-cnf-adapter.enabled + - name: so-cnfm-lcm + version: ~13.x-0 + repository: 'file://components/so-cnfm-lcm' + condition: so-cnfm-lcm.enabled - name: so-etsi-nfvo-ns-lcm - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-nfvo-ns-lcm' condition: so-etsi-nfvo-ns-lcm.enabled - name: so-etsi-sol003-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol003-adapter' condition: so-etsi-sol003-adapter.enabled - name: so-mariadb - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-mariadb' - name: so-nssmf-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-nssmf-adapter' condition: so-nssmf-adapter.enabled - name: so-oof-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-oof-adapter' condition: so-oof-adapter.enabled - name: so-openstack-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-openstack-adapter' condition: so-openstack-adapter.enabled - name: so-request-db-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-request-db-adapter' - name: so-sdc-controller - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-sdc-controller' - name: so-sdnc-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-sdnc-adapter' condition: so-sdnc-adapter.enabled - name: so-ve-vnfm-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-ve-vnfm-adapter' condition: so-ve-vnfm-adapter.enabled - name: so-etsi-sol005-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol005-adapter' condition: so-etsi-sol005-adapter.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-admin-cockpit/Chart.yaml b/kubernetes/so/components/so-admin-cockpit/Chart.yaml index 89534e746c..defd598c1c 100644 --- a/kubernetes/so/components/so-admin-cockpit/Chart.yaml +++ b/kubernetes/so/components/so-admin-cockpit/Chart.yaml @@ -21,21 +21,18 @@ apiVersion: v2 description: A Helm chart for ONAP Service Orchestration Monitoring name: so-admin-cockpit -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml index dc9a4f2dad..7657415f98 100644 --- a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml @@ -3,21 +3,11 @@ server: forward-headers-strategy: none {{- end }} port: {{ index .Values.containerPort }} - {{- if .Values.global.aafEnabled }} - ssl: - keyStore: ${KEYSTORE} - keyStorePassword: ${KEYSTORE_PASSWORD} - trustStore: ${TRUSTSTORE} - trustStorePassword: ${TRUSTSTORE_PASSWORD} - {{- else }} ssl: enabled: false - {{- end }} tomcat: max-threads: 50 - {{- if not .Values.global.aafEnabled }} ssl-enable: false - {{- end }} camunda: rest: api: diff --git a/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml index 808c439181..372224cb2e 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml @@ -21,18 +21,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -40,12 +32,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: - name: so-chown image: {{ include "repositoryGenerator.image.busybox" . }} volumeMounts: @@ -57,21 +46,13 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} command: - /bin/sh args: - -c - | export SO_COCKPIT_PASSWORD=`htpasswd -bnBC 10 "" $SO_COCKPIT_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0) - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE=file://$cadi_keystore - export KEYSTORE_PASSWORD=$cadi_keystore_password_p12 - export TRUSTSTORE=file://$cadi_truststore - export TRUSTSTORE_PASSWORD=$cadi_truststore_password - {{- end }} /app/start-app.sh env: - name: DB_HOST @@ -95,7 +76,7 @@ spec: - configMapRef: name: {{ include "common.fullname" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -114,16 +95,12 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml index 8f87c68f1e..65f46c48c1 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml index b23e5ab99e..03b8df3e10 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml @@ -19,32 +19,5 @@ # ============LICENSE_END========================================================= # @author: gareth.roper@ericsson.com */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - {{if .Values.global.aafEnabled -}} - type: {{ .Values.service.type }} - {{- else -}} - type: ClusterIP - {{- end }} - ports: - {{if and (eq .Values.service.type "NodePort") (.Values.global.aafEnabled) -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/values.yaml b/kubernetes/so/components/so-admin-cockpit/values.yaml index 7e4a654acb..53d185c35d 100644 --- a/kubernetes/so/components/so-admin-cockpit/values.yaml +++ b/kubernetes/so/components/so-admin-cockpit/values.yaml @@ -26,20 +26,14 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:3.0.1 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + readinessImage: onap/oom/readiness:6.0.3 envsubstImage: dibi/envsubst - aafEnabled: true persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: true - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' ################################################################# @@ -75,6 +69,15 @@ repository: nexus3.onap.org:10001 image: onap/so/so-admin-cockpit:1.9.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -93,12 +96,6 @@ app: so-admin-cockpit # soHelpers part ################################################################# soHelpers: - nameOverride: so-cockpit-cert-init - certInitializer: - nameOverride: so-cockpit-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.monitoringPerm containerPort: *containerPort server: @@ -108,54 +105,62 @@ server: # soMonitoringCredsExternalSecret: some secret service: -#Since this is a feature for monitoring the service type is changed to internal, users can change it to NodePort on need basis... - type: NodePort - nodePort: 24 - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: NodePort + ports: + - port: *containerPort + name: http + nodePort: 24 + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 # Resource Limit flavor -By Default using small flavor: small #Segregation for different environment (Small or large) resources: - small: - requests: - memory: 1Gi - cpu: 10m - limits: - memory: 4Gi - cpu: 1 - large: - requests: - memory: 2Gi - cpu: 20m - limits: - memory: 8Gi - cpu: 2 + small: + requests: + cpu: "0.5" + memory: "1Gi" + limits: + cpu: "1" + memory: "4Gi" + large: + requests: + cpu: "1" + memory: "2Gi" + limits: + cpu: "2" + memory: "8Gi" + unlimited: {} readinessProbe: - port: 9091 - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 10 + port: 9091 + initialDelaySeconds: 40 + periodSeconds: 10 + timeoutSeconds: 10 livenessProbe: - port: 9091 - initialDelaySeconds: 40 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9091 + initialDelaySeconds: 80 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: - enabled: false - service: - - baseaddr: "so-admin-cockpit-ui" - name: "so-admin-cockpit" - port: 9091 - config: - ssl: "none" + enabled: false + service: + - baseaddr: "so-admin-cockpit-ui" + name: "so-admin-cockpit" + port: 9091 + config: + ssl: "none" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: portal-app-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml b/kubernetes/so/components/so-appc-orchestrator/Chart.yaml deleted file mode 100644 index 51a80959d0..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2020 AT&T USA -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: A Helm chart for so appc orchestrator -name: so-appc-orchestrator -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml b/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml deleted file mode 100644 index 061d8f0847..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -server: - {{- if include "common.onServiceMesh" . }} - forward-headers-strategy: none - {{- end }} - port: {{ index .Values.containerPort }} - tomcat: - max-threads: 50 - ssl-enable: false -mso: - logPath: ./logs/soappcorch - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.auth.rest.aafEncrypted "value2" .Values.mso.auth )}} - msoKey: {{ .Values.global.app.msoKey }} - config: - {{ if .Values.global.security.aaf.enabled }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} - cadi: - aafId: {{ .Values.mso.basicUser }} - {{- end }} - workflow: - endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine - topics: - retryMultiplier: 1000 -appc: - client: - topic: - read: - name: {{ .Values.appc.client.topic.read.name }} - timeout: {{ .Values.appc.client.topic.read.timeout }} - write: {{ .Values.appc.client.topic.write }} - sdnc: - read: {{ .Values.appc.client.topic.sdnc.read }} - write: {{ .Values.appc.client.topic.sdnc.write }} - response: - timeout: {{ .Values.appc.client.response.timeout }} - key: {{ .Values.appc.client.key }} - secret: {{ .Values.appc.client.secret }} - service: ueb - poolMembers: message-router.{{ include "common.namespace" . }}:3904,message-router.{{ include "common.namespace" . }}:3904 -spring: - security: - usercredentials: - - - username: ${ACTUATOR_USERNAME} - password: ${ACTUATOR_PASSWORD} - role: ACTUATOR diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml deleted file mode 100755 index 6abb1673d5..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-app-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml deleted file mode 100644 index d6584250e2..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ index .Values.replicaCount }} - minReadySeconds: {{ index .Values.minReadySeconds }} - strategy: - type: {{ index .Values.updateStrategy.type }} - rollingUpdate: - maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} - maxSurge: {{ index .Values.updateStrategy.maxSurge }} - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} - - name: {{ include "common.name" . }}-pass-encoder - command: - - sh - args: - {{/* bcrypt plain text and convert to OpenBSD variant using sed */}} - - -c - - htpasswd -bnBC 10 "" "${ACTUATOR_PASSWORD}" | tr -d ':\n' | sed 's/\$2y/\$2a/' 1>/tmp/app/encoded; - env: - - name: ACTUATOR_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 10 }} - image: {{ include "repositoryGenerator.image.htpasswd" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: encoder - mountPath: /tmp/app - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - | - export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)" - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} - /app/start-app.sh - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: ACTUATOR_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} - envFrom: - - configMapRef: - name: {{ include "common.fullname" . }}-configmap - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{- include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - - name: logs - mountPath: /app/logs - - name: encoder - mountPath: /tmp/app - - name: config - mountPath: /app/config - readOnly: true -{{ include "so.helpers.livenessProbe" .| indent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - - name: encoder - emptyDir: - medium: Memory - - name: config - configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml deleted file mode 100644 index 7f004cc050..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/values.yaml b/kubernetes/so/components/so-appc-orchestrator/values.yaml deleted file mode 100644 index 724fcbd032..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/values.yaml +++ /dev/null @@ -1,166 +0,0 @@ -# Copyright © 2020 AT&T USA -# Copyright © 2020 Huawei -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - persistence: - mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - app: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-user-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' - login: '{{ .Values.db.userName }}' - password: '{{ .Values.db.userPassword }}' - passwordPolicy: required - - uid: db-admin-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' - login: '{{ .Values.db.adminName }}' - password: '{{ .Values.db.adminPassword }}' - passwordPolicy: required - - uid: server-actuator-creds - name: '{{ include "common.release" . }}-so-appc-actuator-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.actuatorCredsExternalSecret) . }}' - login: '{{ .Values.server.actuator.username }}' - password: '{{ .Values.server.actuator.password }}' - passwordPolicy: required - -#secretsFilePaths: | -# - 'my file 1' -# - '{{ include "templateThatGeneratesFileName" . }}' - -################################################################# -# Application configuration defaults. -################################################################# -image: onap/so/so-appc-orchestrator:1.6.4 -pullPolicy: Always - -db: - userName: so_user - userPassword: so_User123 - # userCredsExternalSecret: some secret - adminName: so_admin - adminPassword: so_Admin123 - # adminCredsExternalSecret: some secret -server: - actuator: - username: mso_admin - password: password1$ -replicaCount: 1 -minReadySeconds: 10 -containerPort: &containerPort 8080 -logPath: ./logs/soappcorch -app: appc-orchestrator -service: - name: so-appc-orchestrator - type: ClusterIP - ports: - - port: *containerPort - name: http -updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 -# Resource Limit flavor -By Default using small -flavor: small - - -################################################################# -# soHelper part -################################################################# - -soHelpers: - nameOverride: so-appc-cert-init - certInitializer: - nameOverride: so-appc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm - containerPort: *containerPort - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 -ingress: - enabled: false -nodeSelector: {} -tolerations: [] -affinity: {} - -auth: - rest: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - -mso: - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 - basicUser: poBpmn - -appc: - client: - topic: - read: - name: APPC-LCM-WRITE - timeout: 360000 - write: APPC-LCM-READ - sdnc: - read: SDNC-LCM-WRITE - write: SDNC-LCM-READ - response: - timeout: 3600000 - key: VIlbtVl6YLhNUrtU - secret: 64AG2hF4pYeG2pq7CT6XwUOT - service: ueb - -#Pods Service Account -serviceAccount: - nameOverride: so-appc-orchestrator - roles: - - read diff --git a/kubernetes/so/components/so-bpmn-infra/Chart.yaml b/kubernetes/so/components/so-bpmn-infra/Chart.yaml index 08cdb93a52..6f52dfaef3 100755 --- a/kubernetes/so/components/so-bpmn-infra/Chart.yaml +++ b/kubernetes/so/components/so-bpmn-infra/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 AT&T USA # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for SO Bpmn Infra name: so-bpmn-infra -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index 77e553bd67..eebc71a11a 100755 --- a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,14 +15,10 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} dme2: timeout: '30000' - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} workflowAaiDistributionDelay: PT30S pnfEntryNotificationTimeout: P14D cds: @@ -45,14 +42,13 @@ camunda: entitymanager: packagesToScan: com pnf: - dmaap: - host: message-router - port: 3904 - protocol: http - uriPathPrefix: events - topicName: unauthenticated.PNF_READY - consumerGroup: consumerGroup - consumerId: consumerId + kafka: + pnfReadyTopicName: unauthenticated.PNF_READY + pnfUpdateTopicName: unauthenticated.PNF_UPDATE + consumerGroup: so-consumer + consumerId: so-bpmn-infra-pnfready + consumerIdUpdate: so-bpmn-infra-pnfupdate + kafkaBootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 topicListenerDelayInSeconds: 5 bpelURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 msb-ip: msb-iag @@ -65,8 +61,6 @@ mso: correlation: timeout: 60 logPath: logs - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} async: core-pool-size: 50 max-pool-size: 50 @@ -79,7 +73,7 @@ mso: endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/CompleteMsoProcess requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} db: auth: {{ .Values.mso.adapters.db.auth }} password: {{ .Values.mso.adapters.db.password }} @@ -131,7 +125,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} default: adapter: namespace: http://org.onap.mso @@ -165,11 +159,7 @@ mso: oof: auth: {{ .Values.mso.oof.auth }} callbackEndpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} timeout: PT30M workflow: CreateGenericVNFV1: @@ -404,6 +394,9 @@ so: adapter: url: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092/so/vnfm-adapter/v1 auth: {{ .Values.so.sol003.adapter.auth }} +cnfm: + endpoint: + url: http://so-cnfm-lcm.{{ include "common.namespace" . }}:9888 org: onap: so: diff --git a/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml index 58ac6d9ab8..954f8e8b0f 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml index 2b8b827f91..ec1932143d 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,18 +16,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +27,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +48,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +66,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +82,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index b120d0c23f..d5cee518db 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -22,14 +23,10 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -63,9 +60,24 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.11.0 +image: onap/so/bpmn-infra:1.13.0 pullPolicy: Always +kafkaUser: + acls: + - name: so-consumer + type: group + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Read] + bpmn: historyTTL: 14 @@ -73,6 +85,15 @@ camunda: sundayCleanupWindowStartTime: "04:00" sundayCleanupWindowEndTime: "10:00" +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -121,24 +142,18 @@ logPath: ./logs/bpmn/ app: so-bpmn-infra service: type: ClusterIP - internalPort: *containerPort - externalPort: 8081 - portName: http + ports: + - port: *containerPort + name: http updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-bpmn-cert-init - certInitializer: - nameOverride: so-bpmn-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.bpmnPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -147,18 +162,18 @@ flavor: large resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "3Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "6Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "6Gi" unlimited: {} livenessProbe: path: /manage/health @@ -170,6 +185,16 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-oof-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml index 50ffb8cd90..04021f9e65 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for so-catalog-db-adapter name: so-catalog-db-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml index c82a0d29d4..d5a3aeff44 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -24,14 +24,12 @@ ssl-enable: false mso: logPath: logs site-name: onapheat - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} + auth: {{ .Values.mso.adapters.db.auth }} spring: datasource: hikari: diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml index fa9d3a6a4b..e3a77de71d 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +47,23 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index 060ac7f82f..5a5325f629 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -19,16 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -62,9 +56,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/catalog-db-adapter:1.11.0 +image: onap/so/catalog-db-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -84,25 +87,19 @@ containerPort: &containerPort 8082 logPath: ./logs/catdb/ app: catalog-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-catalogdb-cert-init - certInitializer: - nameOverride: so-catalogdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.catalogDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -111,30 +108,39 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8082 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8082 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" @@ -154,4 +160,3 @@ serviceAccount: nameOverride: so-catalog-db-adapter roles: - read - diff --git a/kubernetes/so/components/so-cnf-adapter/Chart.yaml b/kubernetes/so/components/so-cnf-adapter/Chart.yaml index 82cebafbfa..c9bac65aa7 100755 --- a/kubernetes/so/components/so-cnf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-cnf-adapter/Chart.yaml @@ -18,24 +18,24 @@ apiVersion: v2 appVersion: "1.7.1" description: A Helm chart for Kubernetes name: so-cnf-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml index d667cb5c60..a1a25be146 100755 --- a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml @@ -15,12 +15,8 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.server.aai.auth ) }} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.server.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} enabled: {{ .Values.global.aai.enabled }} logging: path: logs diff --git a/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml index c5ebec0b15..786dd83f59 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml @@ -20,7 +20,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml index 340571a59b..d8670f1c41 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: - name: {{ include "common.name" . }}-encrypter command: - sh @@ -59,39 +59,25 @@ spec: args: - -c - | - export AAF_BASE64=$(echo -n "${AAF_USERNAME}:${AAF_PASSWORD}" | base64) - export AAF_AUTH=$(echo "Basic ${AAF_BASE64}") export AAI_AUTH=$(cat /input/.aai_creds) - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password}" - {{- end }} - {{- end }} ./start-app.sh resources: {{ include "common.resources" . | nindent 12 }} ports: {{- include "common.containerPorts" . | nindent 12 }} env: - - name: AAF_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "login") | indent 14 }} - - name: AAF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "password") | indent 14 }} - name: ACTUATOR_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true - readOnly: true - name: encoder mountPath: /input livenessProbe: @@ -105,7 +91,7 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config @@ -114,5 +100,4 @@ spec: - name: encoder emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnf-adapter/values.yaml b/kubernetes/so/components/so-cnf-adapter/values.yaml index 6d7eec4a64..32f87270a6 100755 --- a/kubernetes/so/components/so-cnf-adapter/values.yaml +++ b/kubernetes/so/components/so-cnf-adapter/values.yaml @@ -20,12 +20,6 @@ global: soCryptoImage: sdesbure/so_crypto:latest persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: ${AAF_AUTH} aai: enabled: true ################################################################# @@ -51,13 +45,6 @@ secrets: login: '{{ .Values.server.actuator.username }}' password: '{{ .Values.server.actuator.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: '{{ include "common.release" . }}-so-cnf-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: '{{ include "common.release" . }}-so-cnf-aai-creds' type: basicAuth @@ -84,6 +71,15 @@ readinessCheck: jobs: - '{{ include "common.release" . }}-so-mariadb-config-job' +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -92,10 +88,6 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -125,32 +117,31 @@ updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-cnf-cert-init - certInitializer: - nameOverride: so-cnf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: path: /manage/health @@ -163,6 +154,10 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-cnfm-lcm/Chart.yaml b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml new file mode 100644 index 0000000000..df3eed7bd7 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: so-cnfm-lcm +description: ONAP SO CNFM LCM +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: soHelpers + version: ~13.x-0 + repository: 'file://../soHelpers' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml new file mode 100644 index 0000000000..411b75f0a3 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml @@ -0,0 +1,53 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +aai: + auth: {{ .Values.aai.auth }} + version: v24 + endpoint: http://aai.{{ include "common.namespace" . }}:80 +spring: + datasource: + hikari: + camunda: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/camundabpmn + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: bpmn-pool + registerMbeans: true + cnfm: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/cnfm + username: ${DB_ADMIN_USERNAME} + password: ${DB_ADMIN_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: cnfm-pool + registerMbeans: true +server: + port: {{ .Values.containerPort }} + tomcat: + max-threads: 50 +mso: + key: {{ .Values.mso.key }} +sdc: + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} + key: {{ .Values.sdc.key }} + endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 +camunda: + bpm: + history-level: full + job-execution: + max-pool-size: 30 + core-pool-size: 3 + deployment-aware: true diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml new file mode 100644 index 0000000000..2d8cb1e5f5 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml @@ -0,0 +1,43 @@ +{{/* + # Copyright © 2023 Nordix Foundation + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-app-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml new file mode 100644 index 0000000000..45572c9692 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml @@ -0,0 +1,75 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + containers: + - name: {{ include "common.name" . }} + command: [ "./start-app.sh" ] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + resources: {{ include "common.resources" . | nindent 12 }} + env: + - name: DB_HOST + value: {{ include "common.mariadbService" . }} + - name: DB_PORT + value: {{ include "common.mariadbPort" . | quote }} + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 14 }} + - name: DB_ADMIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: logs + mountPath: /app/logs + - name: config + mountPath: /app/config + readOnly: true + livenessProbe: + tcpSocket: + port: {{ index .Values.livenessProbe.port }} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} + ports: {{ include "common.containerPorts" . | nindent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: logs + emptyDir: {} + - name: config + configMap: + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml new file mode 100644 index 0000000000..30c7b6e674 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml new file mode 100644 index 0000000000..e361015b5c --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml new file mode 100644 index 0000000000..72b8e4be89 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/values.yaml b/kubernetes/so/components/so-cnfm-lcm/values.yaml new file mode 100644 index 0000000000..9a85ec8c98 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/values.yaml @@ -0,0 +1,155 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + mariadbGalera: + service: mariadb-galera + servicePort: '3306' + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +image: onap/so/so-cnfm-as-lcm:1.12.1 +pullPolicy: Always + +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 +sdc: + username: mso + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + key: 566B754875657232314F5548556D3665 + +replicaCount: 1 +minReadySeconds: 10 +containerPort: &containerPort 9888 +logPath: ./logs/so-cnfm-lcm/ +app: so-cnfm-lcm +service: + type: ClusterIP + ports: + - name: http + port: *containerPort +updateStrategy: + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + containerPort: *containerPort + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "500m" + memory: "1Gi" + large: + limits: + cpu: "4000m" + memory: "8Gi" + requests: + cpu: "1000m" + memory: "2Gi" + unlimited: {} + +livenessProbe: + port: *containerPort + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + +ingress: + enabled: false + service: + - baseaddr: 'so-cnfm-lcm-api' + name: 'so-cnfms-lcm' + port: *containerPort + config: + ssl: 'redirect' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +#Pods Service Account +serviceAccount: + nameOverride: so-cnfm-lcm + roles: + - read + diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml index 539e3f11a4..068686db48 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml @@ -17,21 +17,24 @@ apiVersion: v2 description: ONAP SO ETSI NFVO NS LCM name: so-etsi-nfvo-ns-lcm -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml index df47c0a5fd..40f97ad69f 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml @@ -15,13 +15,9 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v19 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} spring: datasource: hikari: @@ -61,16 +57,7 @@ so: etsi-catalog-manager: base: {{- if .Values.global.msbEnabled }} - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:443/api - {{ else }} - endpoint: http://msb-iag:443/api - {{ end }} - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api {{- end }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml index add9a02cf6..6bf005c051 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml @@ -27,7 +27,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml index 6465af4e4a..19cf991292 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml @@ -29,7 +29,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} containers: - name: {{ include "common.name" . }} command: @@ -38,12 +39,6 @@ spec: - -c - | export ETSI_NFVO_PASSWORD=`htpasswd -bnBC 10 "" $ETSI_NFVO_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -64,12 +59,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -84,11 +78,10 @@ spec: failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} ports: {{ include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml index 6aaa367310..dc6f2b74d6 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' ################################################################# @@ -60,6 +54,21 @@ pullPolicy: Always aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -85,7 +94,6 @@ logPath: ./logs/so-etsi-nfvo-ns-lcm/ app: so-etsi-nfvo-ns-lcm service: type: ClusterIP - name: so-etsi-nfvo-ns-lcm annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' msb.onap.org/service-info: | @@ -111,12 +119,6 @@ updateStrategy: # soHelpers part ################################################################# soHelpers: - nameOverride: so-nfvo-cert-init - certInitializer: - nameOverride: so-nfvo-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nfvoAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -125,18 +127,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "5Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: @@ -156,6 +158,13 @@ ingress: config: ssl: 'redirect' +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + nodeSelector: {} tolerations: [] diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml index 599b8055fa..caa7dd9553 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: ONAP SO ETSI SOL003 Adapter name: so-etsi-sol003-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml index fed38f7592..04d973a6fc 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml @@ -14,13 +14,9 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v15 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} spring: security: usercredentials: @@ -41,30 +37,19 @@ mso: key: {{ .Values.mso.key }} site-name: localSite logPath: ./logs/etsi-sol003-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 sdc: - username: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} - password: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} key: {{ .Values.sdc.key }} - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} vnfmadapter: endpoint: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092 etsi-catalog-manager: vnfpkgm: {{- if .Values.global.msbEnabled }} - endpoint: https://msb-iag:443/api/vnfpkgm/v1 - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api/vnfpkgm/v1 {{- end }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml index 7751bf4631..4067eee9bd 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,34 +26,17 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - export KEYSTORE="{{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.p12" - /app/start-app.sh - {{- end }} - env: - {{ include "so.certificates.env" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -74,16 +49,12 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml index 8f87c68f1e..f298193924 100644 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2019 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml index 96a2acd3a6..3da38759a8 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml @@ -13,39 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "{{ include "common.servicename" . }}", - "version": "v1", - "url": "/so/vnfm-adapter/v1", - "protocol": "REST", - "port": "{{.Values.service.externalPort}}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml index 170cfdd0d7..bea0a28051 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml @@ -50,26 +50,34 @@ containerPort: &containerPort 9092 logPath: ./logs/etsi-sol003-adapter/ app: etsi-sol003-adapter service: - type: NodePort - internalPort: *containerPort - externalPort: *containerPort - nodePort: "06" - portName: http + type: NodePort + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "{{ include "common.servicename" . }}", + "version": "v1", + "url": "/so/vnfm-adapter/v1", + "protocol": "REST", + "port": "{{.Values.containerPort}}", + "visualRange":"1" + } + ]{{ end }} + ports: + - name: http + port: *containerPort + nodePort: "06" + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol003-cert-init - certInitializer: - nameOverride: so-etsi-sol003-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vnfmAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -78,34 +86,43 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - port: 9092 - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9092 + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false service: - - baseaddr: "so-etsi-sol003-adapter-api" - name: "so-etsi-sol003-adapter" - port: 9092 + - baseaddr: "so-etsi-sol003-adapter-api" + name: "so-etsi-sol003-adapter" + port: 9092 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml index bb92b9fdca..a6c6c2e708 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-etsi-sol005-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml index 189a02bf73..c4d28c4ce9 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml @@ -42,18 +42,12 @@ server: mso: site-name: localSite logPath: ./logs/etsi-sol005-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: security: diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml index 1abf21816b..28e8709d7e 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -92,16 +67,12 @@ spec: timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml index 5b8dee0774..21a6a77e27 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml index b20f318658..2b219d0595 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -61,6 +55,15 @@ secrets: image: onap/so/so-etsi-sol005-adapter:1.9.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -80,26 +83,19 @@ containerPort: &containerPort 8084 logPath: ./logs/etsi-sol005-adapter/ app: etsi-sol005-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol005-cert-init - certInitializer: - nameOverride: so-etsi-sol005-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vfcAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -108,30 +104,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8084 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8084 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-mariadb/Chart.yaml b/kubernetes/so/components/so-mariadb/Chart.yaml index 02a456e0bd..f66f740b34 100755 --- a/kubernetes/so/components/so-mariadb/Chart.yaml +++ b/kubernetes/so/components/so-mariadb/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: MariaDB Service name: so-mariadb -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh new file mode 100644 index 0000000000..cb343bc954 --- /dev/null +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh @@ -0,0 +1,39 @@ +#!/bin/sh +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +echo "Creating cnfm database . . ." 1>/tmp/mariadb-cnfmdb.log 2>&1 + +prepare_password() +{ + echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g" +} + +CNFM_DB_PASSWORD=`prepare_password $CNFM_DB_PASSWORD` + +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +CREATE DATABASE /*!32312 IF NOT EXISTS*/ cnfm /*!40100 DEFAULT CHARACTER SET latin1 */; +DROP USER IF EXISTS '${CNFM_DB_USER}'; +CREATE USER '${CNFM_DB_USER}'; +GRANT ALL on cnfm.* to '${CNFM_DB_USER}' identified by '${CNFM_DB_PASSWORD}' with GRANT OPTION; +FLUSH PRIVILEGES; +EOF + +echo "Created cnfm database . . ." 1>>/tmp/mariadb-cnfmdb.log 2>&1 \ No newline at end of file diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh index 33c4b32146..bf8ae781c0 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,6 +41,7 @@ GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON requestdb.* TO '${DB GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON catalogdb.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON camundabpmn.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON nfvo.* TO '${DB_USER}'@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON cnfm.* TO '${DB_USER}'@'%'; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh index 069556f51c..74b869cd54 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,6 +41,7 @@ GRANT ALL PRIVILEGES ON camundabpmn.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON requestdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON catalogdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON nfvo.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON cnfm.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index d9c6009c8a..20cba67a26 100644 --- a/kubernetes/so/components/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022/23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -56,24 +57,17 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo > /var/data/mariadb/backup-`date +%s`.sql + mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo cnfm > /var/data/mariadb/backup-`date +%s`.sql volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-storage mountPath: /var/data/mariadb {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: backup-storage persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Never --- {{- end }} @@ -149,10 +143,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "login") | indent 10 }} - name: NFVO_DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "password") | indent 10 }} + - name: CNFM_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "login") | indent 10 }} + - name: CNFM_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: docker-entrypoint-initdb-d-sh mountPath: "/docker-entrypoint-initdb.d" - name: docker-entrypoint-initdb-d-sql @@ -161,8 +156,7 @@ spec: - name: backup-storage mountPath: /var/data/mariadb {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -172,10 +166,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d-sh configMap: name: {{ include "common.fullname" . }}-mariadb-sh @@ -188,5 +180,4 @@ spec: claimName: {{ include "common.fullname" . }}-migration {{- end }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-mariadb/values.yaml b/kubernetes/so/components/so-mariadb/values.yaml index 13dd0868e8..7eea6a5cf8 100755 --- a/kubernetes/so/components/so-mariadb/values.yaml +++ b/kubernetes/so/components/so-mariadb/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022-23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,11 +22,13 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:4.1.0 + readinessImage: onap/oom/readiness:6.0.3 ubuntuInitRepository: docker.io mariadbGalera: - nameOverride: &mariadbName mariadb-galera - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + nameOverride: mariadb-galera + service: mariadb-galera servicePort: "3306" migration: enabled: false @@ -34,10 +37,6 @@ global: dbUser: root dbPassword: secretpassword -readinessCheck: - wait_for: - - *mariadbName - ################################################################# # Secrets metaconfig ################################################################# @@ -89,6 +88,11 @@ secrets: externalSecret: '{{ tpl (default "" .Values.db.nfvo.dbCredsExternalSecret) . }}' login: '{{ .Values.db.nfvo.userName }}' password: '{{ .Values.db.nfvo.password }}' + - uid: cnfm-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.cnfm.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.cnfm.userName }}' + password: '{{ .Values.db.cnfm.password }}' ################################################################# # Application configuration defaults. @@ -99,6 +103,15 @@ image: mariadb:10.1.38 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + # db config db: rootPassword: secretpassword @@ -127,6 +140,9 @@ db: nfvo: userName: nfvouser # dbCredsExternalSecret: some secret + cnfm: + userName: cnfmuser + # dbCredsExternalSecret: some secret # application configuration config: @@ -147,18 +163,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} persistence: @@ -191,3 +207,8 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-config' + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml index b8a3387bfb..0dc42e438e 100755 --- a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-nssmf-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml index 016b3f534f..633ac7dcc1 100755 --- a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -14,12 +14,8 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} logging: path: logs spring: @@ -58,12 +54,8 @@ mso: msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml index 03a3df4163..35baef1759 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml @@ -19,7 +19,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml index f41352e63f..5aea3023aa 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml @@ -26,11 +26,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -41,12 +39,6 @@ spec: - | export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -72,12 +64,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | nindent 12 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -94,11 +85,10 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-nssmf-adapter/values.yaml b/kubernetes/so/components/so-nssmf-adapter/values.yaml index 29f9f4e24d..d45ee69401 100755 --- a/kubernetes/so/components/so-nssmf-adapter/values.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -78,6 +74,15 @@ secrets: image: onap/so/so-nssmf-adapter:1.9.1 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -110,17 +115,14 @@ service: - name: http port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-nssmf-cert-init - certInitializer: - nameOverride: so-nssmf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nssmfAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -129,30 +131,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8088 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8088 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-oof-adapter/Chart.yaml b/kubernetes/so/components/so-oof-adapter/Chart.yaml index 9f9c107b16..08e8071f26 100755 --- a/kubernetes/so/components/so-oof-adapter/Chart.yaml +++ b/kubernetes/so/components/so-oof-adapter/Chart.yaml @@ -18,21 +18,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-oof-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml index 2d645bebf2..c58ba9196f 100755 --- a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml @@ -39,17 +39,13 @@ mso: msb-port: 80 msoKey: ${MSO_KEY} camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} workflow: message: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage oof: auth: ${OOF_LOGIN}:${OOF_PASSWORD} - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml index da5fda9c42..62ad76709f 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml @@ -26,7 +26,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml index f5307992d1..eef3ef4a0e 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml @@ -26,15 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -54,12 +51,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "login") | indent 10 }} - name: OOF_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -68,11 +64,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: {{- include "common.containerPorts" . | nindent 12 }} + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -84,5 +80,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-oof-adapter/values.yaml b/kubernetes/so/components/so-oof-adapter/values.yaml index 530c35afdd..d1b795dc2c 100755 --- a/kubernetes/so/components/so-oof-adapter/values.yaml +++ b/kubernetes/so/components/so-oof-adapter/values.yaml @@ -20,14 +20,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' # Secrets metaconfig @@ -74,6 +70,15 @@ secrets: image: onap/so/so-oof-adapter:1.8.3 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + mso: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 oof: @@ -87,23 +92,19 @@ containerPort: *containerPort logPath: ./logs/oof-adapter/ app: so-oof-adapter service: - type: ClusterIP - ports: - - name: http - port: *containerPort + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-oof-adapter-cert-init - certInitializer: - nameOverride: so-oof-adapter-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.oofadapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -112,30 +113,35 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: *containerPort - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: *containerPort + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-openstack-adapter/Chart.yaml b/kubernetes/so/components/so-openstack-adapter/Chart.yaml index fc80962326..1129cf23a2 100755 --- a/kubernetes/so/components/so-openstack-adapter/Chart.yaml +++ b/kubernetes/so/components/so-openstack-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-openstack-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml index 7dc22c3536..287c9537b6 100755 --- a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml @@ -14,12 +14,8 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} server: {{- if include "common.onServiceMesh" . }} forward-headers-strategy: none @@ -72,7 +68,7 @@ org: {{- end }} default_keystone_reg_ex: "/[vV][0-9]" vnf: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} checkRequiredParameters: true addGetFilesOnVolumeReq: false sockettimeout: 30 @@ -83,7 +79,7 @@ org: valet_enabled: false fail_requests_on_valet_failure: false network: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} sockettimeout: 5 connecttimeout: 5 retrycount: 5 @@ -113,12 +109,14 @@ ecomp: retryCount: 3 pollTimeout: 7500 pollInterval: 15 +multicloud: + endpoint: http://multicloud-k8s.{{ include "common.namespace" . }}:9015 mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} + auth: {{ .Values.mso.db.auth }} + auth: {{ .Values.mso.auth }} logPath: ./logs/openstack msb-ip: msb-iag msb-port: 80 @@ -127,18 +125,14 @@ mso: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine msoKey: {{ .Values.mso.msoKey }} config: - {{ if eq .Values.global.security.aaf.enabled true }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} cadi: aafId: {{ .Values.mso.basicUser }} - {{- end }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} + auth: {{ .Values.mso.db.auth }} site-name: localDevEnv async: core-pool-size: 50 diff --git a/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml index 55493f7c42..247b8cb3b1 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +60,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +76,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index e25f4b3498..15074b5712 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +54,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.11.0 +image: onap/so/openstack-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -71,9 +76,6 @@ db: aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 -aaf: - auth: - encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F org: onap: so: @@ -92,25 +94,19 @@ containerPort: &containerPort 8087 logPath: ./logs/openstack/ app: openstack-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-openstack-cert-init - certInitializer: - nameOverride: so-openstack-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -119,30 +115,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8087 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8087 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" diff --git a/kubernetes/so/components/so-request-db-adapter/Chart.yaml b/kubernetes/so/components/so-request-db-adapter/Chart.yaml index c959f3642a..32095c29b7 100755 --- a/kubernetes/so/components/so-request-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-request-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for request-db-adapter name: so-request-db-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml index 86e02d638a..7ea77493d7 100755 --- a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml @@ -25,11 +25,9 @@ ssl-enable: false mso: logPath: logs site-name: localSite - config: - cadi: {{- include "so.cadi.keys" . | nindent 8}} adapters: requestDb: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 spring: datasource: diff --git a/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml index 6331656fce..3be605edf2 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml index fa9d3a6a4b..329d45e480 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +47,23 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 6d24563dcf..9eecb245c7 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +54,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.11.0 +image: onap/so/request-db-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -80,25 +85,19 @@ containerPort: &containerPort 8083 logPath: ./logs/reqdb/ app: request-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-requestdb-cert-init - certInitializer: - nameOverride: so-requestdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.requestDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -107,30 +106,41 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8083 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-sol005-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-sdc-controller/Chart.yaml b/kubernetes/so/components/so-sdc-controller/Chart.yaml index e0db2678d4..fc5496cc3a 100755 --- a/kubernetes/so/components/so-sdc-controller/Chart.yaml +++ b/kubernetes/so/components/so-sdc-controller/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdc-controller -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml index 29a1cf7443..473b1c3bcf 100755 --- a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml @@ -51,49 +51,43 @@ request: mso: msoKey: {{ index .Values.mso.msoKey }} logPath: ./logs/sdc - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} site-name: onapheat camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} asdc-connections: asdc-controller1: user: mso - consumerGroup: SO-OpenSource-Env11 - consumerId: SO-COpenSource-Env11 - environmentName: AUTO - {{ if (include "common.needTLS" .) }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 + {{ with (first .Values.kafkaUser.acls) }} + consumerId: {{ .name }}-sdc-controller + consumerGroup: {{ .name }} {{ end }} + environmentName: AUTO + sdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }} pollingInterval: 60 pollingTimeout: 60 relevantArtifactTypes: HEAT,HEAT_ENV,HEAT_VOL - useHttpsWithDmaap: false - useHttpsWithSdc: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttpsWithSdc: false activateServerTLSAuth: false keyStorePassword: keyStorePath: watchDogTimeout: 300 isFitlerInEmptyResources: true - messageBusAddress: message-router.{{ include "common.namespace" . }},message-router.{{ include "common.namespace" . }} + httpsProxyHost: + httpProxyHost: + httpsProxyPort: 0 + httpProxyPort: 0 asdc: config: activity: diff --git a/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml index 050aab9732..cb40c08f77 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml index 55493f7c42..e3a0e2bec3 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +65,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +81,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/service.yaml b/kubernetes/so/components/so-sdc-controller/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/service.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index f006c0772c..1fe5b50cf7 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -19,15 +19,12 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + soSdcListenerKafkaUser: so-sdc-list-user readinessCheck: wait_for: @@ -58,9 +55,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.11.0 +image: onap/so/sdc-controller:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -87,26 +93,22 @@ minReadySeconds: 10 containerPort: &containerPort 8085 logPath: ./logs/sdc/ app: sdc-controller + service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdc-cert-init - certInitializer: - nameOverride: so-sdc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdcControllerPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -115,34 +117,54 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} + livenessProbe: - path: /manage/health - port: 8085 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8085 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + ingress: enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-read + nodeSelector: {} tolerations: [] affinity: {} +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: SO + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + #Pods Service Account serviceAccount: nameOverride: so-sdc-controller diff --git a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml index 64464ac034..c43cad7624 100755 --- a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml @@ -17,21 +17,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdnc-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml index 119236b1b2..55dc11526d 100755 --- a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -20,20 +20,21 @@ server: port: {{ index .Values.containerPort }} mso: msoKey: ${MSO_KEY} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "${AAF_AUTH}" "value2" "${MSO_AUTH}" )}} + auth: ${MSO_AUTH} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 logPath: ./logs/sdnc config: - cadi: {{ include "so.cadi.keys" . | nindent 14}} + cadi: + aafId: so@so.onap.org catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} site-name: onapheat #needs to be confirmed TODO workflow: @@ -112,7 +113,7 @@ org: changedelete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf delete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf rollback: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.sdnc.bpelauth }} bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/SDNCAdapterCallbackService opticalservice: optical-service-create: @@ -157,7 +158,7 @@ org: myurl: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/rest/SDNCNotify rest: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - sdncauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} + sdncauth: {{ .Values.org.onap.so.adapters.sdnc.sdncauth }} sdncconnecttime: 5000 sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/GENERIC-RESOURCE-API:' sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNFTOPOLOGYAIC-API:' diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml index b95e0b58a3..e298069233 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,28 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -73,14 +49,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-key" "key" "password") | indent 10 }} - name: MSO_AUTH {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-auth" "key" "password") | indent 10 }} - - name: AAF_AUTH - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-aaf-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -89,14 +62,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -108,5 +78,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 1562a37ddd..61ec096111 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -22,16 +22,10 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - #encryptedSecret: some secret mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' ################################################################# @@ -55,11 +49,6 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.mso.msoKeySecret) . }}' password: '{{ .Values.mso.msoKey }}' - - uid: sdnc-adapter-aaf-auth - name: '{{ include "common.release" . }}-so-sdnc-aaf-auth' - type: password - externalSecret: '{{ tpl (default "" .Values.global.aaf.auth.encryptedSecret) . }}' - password: '{{ .Values.global.aaf.auth.encrypted }}' - uid: sdnc-adapter-mso-auth name: '{{ include "common.release" . }}-so-sdnc-mso-auth' type: password @@ -72,7 +61,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.11.0 +image: onap/so/sdnc-adapter:1.12.2 pullPolicy: Always org: @@ -93,6 +82,15 @@ mso: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -107,26 +105,19 @@ containerPort: &containerPort 8086 logPath: ./logs/sdnc/ app: sdnc-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdnc-cert-init - certInitializer: - nameOverride: so-sdnc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdncAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -135,30 +126,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8086 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8086 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml index 1b4294af2f..d45c89ca71 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml @@ -17,24 +17,21 @@ apiVersion: v2 description: ONAP SO VE VNFM Adapter (SOL002) name: so-ve-vnfm-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml index 1a96abf9cb..606ceb4fcc 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml @@ -21,18 +21,10 @@ server: port: {{ include "common.getPort" (dict "global" . "name" "http") }} vevnfmadapter: - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ else }} - endpoint: http://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ end }} + endpoint: http://msb-iag:80/api/{{ include "common.servicename" . }}/v1 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} dmaap: endpoint: http://message-router.{{ include "common.namespace" . }}:3904 diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml index 9a6b79c440..e322b60e48 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -34,7 +34,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -47,9 +47,9 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: {{- include "common.containerPorts" . | nindent 10 }} + ports: {{- include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml index 8e8236cfb4..0e252ff376 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml @@ -20,8 +20,9 @@ global: readinessCheck: wait_for: - - aai - - message-router + services: + - aai + - message-router ################################################################# # Application configuration defaults. @@ -48,31 +49,22 @@ service: - name: http port: 9098 -################################################################# -# soHelpers part -################################################################# -soHelpers: - nameOverride: so-vevnfm-cert-init - certInitializer: - nameOverride: so-vevnfm-cert-init - credsPath: /opt/app/osaaf/local - flavor: small resources: small: limits: - memory: 512Mi - cpu: 500m + cpu: "1" + memory: "1Gi" requests: - memory: 256Mi - cpu: 250m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: port: 9098 @@ -85,6 +77,11 @@ nodeSelector: {} tolerations: [] affinity: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + #Pods Service Account serviceAccount: nameOverride: so-ve-vnfm-adapter diff --git a/kubernetes/so/components/soHelpers/Chart.yaml b/kubernetes/so/components/soHelpers/Chart.yaml index bf300e3f3b..36ce3fae70 100755 --- a/kubernetes/so/components/soHelpers/Chart.yaml +++ b/kubernetes/so/components/soHelpers/Chart.yaml @@ -16,15 +16,12 @@ apiVersion: v2 description: A Helm chart for SO helpers name: soHelpers -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl deleted file mode 100644 index 7e04706d4a..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{- define "so.cadi.keys" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -cadiLoglevel: {{ $initRoot.cadi.logLevel }} -cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.certInitializer.fqi_namespace }}.keyfile -cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/truststoreONAPall.jks -cadiTruststorePassword: ${TRUSTSTORE_PASSWORD} -cadiLatitude: {{ $initRoot.cadi.latitude }} -cadiLongitude: {{ $initRoot.cadi.longitude }} -aafEnv: {{ $initRoot.cadi.aafEnv }} -aafApiVersion: {{ $initRoot.cadi.aafApiVersion }} -aafRootNs: {{ $initRoot.cadi.aafRootNs }} -aafId: {{ $initRoot.cadi.aafId }} -aafPassword: {{ $initRoot.cadi.aafPassword }} -aafLocateUrl: {{ $initRoot.cadi.aafLocateUrl }} -aafUrl: {{ $initRoot.cadi.aafUrl }} -apiEnforcement: {{ $initRoot.cadi.apiEnforcement }} -{{- if ($initRoot.cadi.noAuthn) }} -noAuthn: {{ $initRoot.cadi.noAuthn }} -{{- end }} -{{- end }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl deleted file mode 100644 index cda61b2cfa..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{- define "so.certificate.container_importer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.initContainer" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumes" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumeMount" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumeMount" $subchartDot }} -{{- end -}} - -{{- define "so.certificates.env" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{- if $dot.Values.global.aafEnabled }} -- name: TRUSTSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks -{{- if $dot.Values.global.security.aaf.enabled }} -- name: KEYSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.certInitializer.fqi_namespace }}.p12 -{{- end }} -{{- end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl index cde94742c6..e596b806ed 100644 --- a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl +++ b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl @@ -7,11 +7,6 @@ livenessProbe: path: {{ $subchartDot.Values.livenessProbe.path }} port: {{ $subchartDot.Values.containerPort }} scheme: {{ $subchartDot.Values.livenessProbe.scheme }} - {{- if $subchartDot.Values.global.security.aaf.enabled }} - httpHeaders: - - name: Authorization - value: {{ $subchartDot.Values.global.aaf.auth.header }} - {{- end }} initialDelaySeconds: {{ $subchartDot.Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ $subchartDot.Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ $subchartDot.Values.livenessProbe.timeoutSeconds }} diff --git a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl b/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl deleted file mode 100644 index 56910ebebd..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "so.helpers.profileProperty" -}} - {{ if .condition }}{{ .value1 }}{{ else }}{{ .value2 }}{{ end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml index 2417d2553c..ec3fef2d81 100755 --- a/kubernetes/so/components/soHelpers/values.yaml +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -16,38 +16,10 @@ # Global configuration defaults. ################################################################# global: - aafAgentImage: onap/aaf/aaf_agent:2.1.20 msbEnabled: true - security: - aaf: - enabled: false app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# AAF part -################################################################# -certInitializer: - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD={{ .Values.truststorePassword }}" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 - ################################################################# # Application configuration defaults. ################################################################# @@ -60,17 +32,3 @@ livenessProbe: timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 - -cadi: - logLevel: DEBUG - latitude: 38.4329 - longitude: -90.43248 - aafEnv: IST - aafApiVersion: 2.1 - aafRootNs: org.onap.so - aafLocateUrl: https://aaf-locate.onap:8095 - aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.apihPerm - noAuthn: /manage/health diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index 48b75c72e9..47fc6d3d5d 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -1,10 +1,6 @@ aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ .Values.mso.aai.auth }} server: port: {{ index .Values.containerPort }} tomcat: @@ -17,16 +13,15 @@ mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} config: path: /src/main/resources/ - cadi: {{ include "so.cadi.keys" . | nindent 10}} infra: default: alacarte: @@ -38,33 +33,25 @@ mso: default: testApi: GR_API camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 sdc: client: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} + auth: {{ .Values.mso.sdc.client.auth }} activate: instanceid: test userid: cs0008 - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} tenant: isolation: retry: count: 3 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ .Values.mso.aai.auth }} extApi: endpoint: http://nbi.onap:8080/nbi/api/v3 @@ -74,11 +61,11 @@ mso: username: testuser password: VjR5NDcxSzA= host: http://dmaap-bc.{{ include "common.namespace" . }}:8080 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} + auth: {{ .Values.mso.so.operationalEnv.dmaap.auth }} publisher: topic: com.att.ecomp.mso.operationalEnvironmentEvent health: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} + auth: {{ .Values.mso.health.auth }} endpoints: - subsystem: apih uri: http://so-bpmn-infra:8081 diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index c55bf573f1..052a985387 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 99a5eff0e7..dcf04b0f9a 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,24 +60,20 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap + name: {{ include "common.fullname" . }}-app-configmap - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log {{ include "common.log.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/templates/ingress.yaml b/kubernetes/so/templates/ingress.yaml index 8f87c68f1e..9bef773eda 100644 --- a/kubernetes/so/templates/ingress.yaml +++ b/kubernetes/so/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2018 AT&T USA +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/templates/service.yaml b/kubernetes/so/templates/service.yaml index 5a83d566ac..21a6a77e27 100755 --- a/kubernetes/so/templates/service.yaml +++ b/kubernetes/so/templates/service.yaml @@ -13,391 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][7]}/serviceInstances/assign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/unassign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/enablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/disablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/addRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/removeRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/applyUpdatedConfig", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/inPlaceSoftwareUpdate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/deactivateAndCloudDelete", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/scaleOut", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index cc63ca50c0..0d53ea3aa8 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -1,6 +1,8 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei # Copyright © 2021 Orange +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -18,19 +20,19 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true nameOverride: mariadb-galera - serviceName: mariadb-galera servicePort: '3306' service: mariadb-galera internalPort: '3306' - # mariadbRootPassword: secretpassword - # rootPasswordExternalSecret: some secret - #This flag allows SO to instantiate its own mariadb-galera cluster, - #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled + # This flag allows SO to instantiate its own mariadb-galera cluster, + # serviceName and nameOverride should be so-mariadb-galera if this flag is enabled localCluster: false + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: persistence: mountPath: /dockerdata-nfs #This configuration specifies Service and port for SDNC OAM interface @@ -46,22 +48,11 @@ global: dbPassword: secretpassword # dbCredsExternalSecret: some secret msbEnabled: true - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 app: siteName: onapheat auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 defaultCloudOwner: onap - certificates: - path: /etc/ssl/certs - share_path: /usr/local/share/ca-certificates/ - readinessCheck: wait_for: jobs: @@ -74,11 +65,24 @@ secrets: - uid: db-root-pass name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass' type: password - externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary - .Values.global.mariadbGalera.rootPasswordExternalSecret - (default (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) - .Values.global.mariadbGalera.rootPasswordExternalSecret) }}' + # If we're using shared mariadb, we need to use the secret name (second + # part). + # If not, we do the same trick than for user db secret hat allows you + # override this secret using external one with the same field that is used + # to pass this to subchart. + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "so-db-root-pass" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}' - uid: db-backup-creds name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds' @@ -129,13 +133,6 @@ secrets: login: '{{ .Values.server.bpel.username }}' password: '{{ .Values.server.bpel.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: &aaf-secrets '{{ include "common.release" . }}-so-server-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: &aai-secrets '{{ include "common.release" . }}-so-server-aai-creds' type: basicAuth @@ -144,32 +141,7 @@ secrets: password: '{{ .Values.server.aai.password }}' passwordPolicy: required -aafConfig: - permission_user: 1000 - permission_group: 999 - -aaf: - trustore: org.onap.so.trust.jks - -################################################################# -# AAF part for Ingress -################################################################# -certInitializer: - nameOverride: so-tls-cert - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - ingressTlsSecret: '{{ include "common.release" . }}-so-ingress-certs' - -################################################################# +################################################################## # Application configuration defaults. ################################################################# @@ -182,13 +154,9 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.11.0 +image: onap/so/api-handler-infra:1.12.2 server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -210,45 +178,405 @@ logPath: ./logs/apih/ app: api-handler-infra service: type: NodePort - nodePort: 77 internalPort: *containerPort - externalPort: *containerPort - portName: http + ports: + - name: http + port: *containerPort + nodePort: '77' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}/{requestId}/unlock", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}/unlock", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][7]}/serviceInstances/assign", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/unassign", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/enablePort", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/disablePort", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/addRelationships", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/removeRelationships", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/replace", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/applyUpdatedConfig", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/replace", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/inPlaceSoftwareUpdate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/deactivateAndCloudDelete", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/scaleOut", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + } + ]{{ end }} + updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 -################################################################# +################################################################ # soHelpers part ################################################################# soHelpers: - nameOverride: so-apih-cert-init - certInitializer: - nameOverride: so-apih-cert-init - credsPath: /opt/app/osaaf/local containerPort: *containerPort # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) -persistence: - certificatesPath: /certificates resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} @@ -266,11 +594,18 @@ config: # --set so.global.mariadbGalera.localCluster=true \ # --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \ # --set so.global.mariadbGalera.serviceName=so-mariadb-galera -mariadb-galera: +mariadb-galera: &mariadbGalera rootUser: externalSecret: *dbRootPassSecretName nameOverride: &so-mariadb so-mariadb-galera replicaCount: 1 + service: + name: *so-mariadb + portName: *so-mariadb + internalPort: 3306 + mariadbOperator: + galera: + enabled: false persistence: mountSubPath: so/mariadb-galera/data enabled: true @@ -283,9 +618,18 @@ ingress: - baseaddr: 'so-api' name: 'so' port: 8080 - config: - tls: - secret: '{{ include "common.release" . }}-so-ingress-certs' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: nbi-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: robot-read + - serviceAccount: istio-ingress + namespace: istio-ingress mso: adapters: @@ -308,49 +652,69 @@ mso: health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= -so-appc-orchestrator: - enabled: false - server: - actuatorCredsExternalSecret: *actuator-secrets - db: - <<: *dbSecrets - so-bpmn-infra: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-catalog-db-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-cnf-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets server: - aafCredsExternalSecret: *aaf-secrets aaiCredsExternalSecret: *aai-secrets actuatorCredsExternalSecret: *actuator-secrets mso: msoKeySecret: *mso-key +so-cnfm-lcm: + enabled: true + mariadb-galera: + <<: *mariadbGalera + db: + <<: *dbSecrets + so-etsi-nfvo-ns-lcm: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-mariadb: + mariadb-galera: + <<: *mariadbGalera db: rootPasswordExternalSecretLocalDb: *dbRootPassSecretName - rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}' + #rootPasswordExternalSecretLocalDb: *dbRootPassSecretName + rootPasswordExternalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (tpl .Values.db.rootPasswordExternalSecretLocalDb .) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' backupCredsExternalSecret: *dbBackupCredsSecretName userCredsExternalSecret: *dbUserCredsSecretName adminCredsExternalSecret: *dbAdminCredsSecretName so-admin-cockpit: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets @@ -359,11 +723,15 @@ so-nssmf-adapter: server: actuatorCredsExternalSecret: *actuator-secrets bpelCredsExternalSecret: *bpel-secrets + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-oof-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -375,21 +743,29 @@ so-oof-adapter: so-openstack-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-request-db-adapter: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-sdc-controller: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-sdnc-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -401,6 +777,8 @@ so-ve-vnfm-adapter: so-etsi-sol005-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 4ef20e19d2..1b927d6c4d 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -15,20 +15,20 @@ apiVersion: v2 description: ONAP Strimzi Kafka name: strimzi -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: strimzi-kafka-bridge - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/strimzi-kafka-bridge' condition: strimzi-kafka-bridge.enabled diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index 8c290b2cec..e254d99710 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -15,9 +15,9 @@ apiVersion: v2 description: ONAP Strimzi Kafka Bridge name: strimzi-kafka-bridge -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties new file mode 100644 index 0000000000..e6ad8e0920 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties @@ -0,0 +1,38 @@ +name=BridgeConfig + +appender.console.type=Console +appender.console.name=STDOUT + +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d] %-5p <%-12.12c{1}:%L> [%-12.12t] %m%n + +# Alternate JSONLayout pattern config +#appender.console.layout.type=JSONLayout +#appender.console.layout.compact=true +#appender.console.layout.eventEol=true +#appender.console.layout.complete=true +#appender.console.layout.properties=false +#appender.console.layout.propertiesAsList=false +#appender.console.layout.locationInfo=true +#appender.console.layout.includeStacktrace=true +#appender.console.layout.stacktraceAsString=true +#appender.console.layout.includeNullDelimiter=false +#appender.console.layout.objectMessageAsJsonObject=true + +rootLogger.level=INFO +rootLogger.appenderRefs=console +rootLogger.appenderRef.console.ref=STDOUT +rootLogger.additivity=false + +logger.bridge.name=io.strimzi.kafka.bridge +logger.bridge.level=INFO +logger.bridge.appenderRefs=console +logger.bridge.appenderRef.console.ref=STDOUT +logger.bridge.additivity=false + +logger.healthy.name=http.openapi.operation.healthy +logger.healthy.level=WARN +logger.ready.name=http.openapi.operation.ready +logger.ready.level=WARN + +monitorInterval=30 diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml new file mode 100644 index 0000000000..25fbf3df77 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-kb-logging-cm + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} + diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index 3abb04af10..b081e290e3 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -28,3 +28,12 @@ spec: enableMetrics: {{ .Values.config.enableMetrics }} http: port: {{ .Values.config.port }} + logging: + type: external + valueFrom: + configMapKeyRef: + key: log4j2.properties + name: {{ include "common.fullname" . }}-kb-logging-cm + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml new file mode 100644 index 0000000000..12c742ef35 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -0,0 +1,20 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + - pattern: kafka.cruisecontrol<>(\w+) + name: kafka_cruisecontrol_$1_$2 + type: GAUGE \ No newline at end of file diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml new file mode 100644 index 0000000000..7ad971fc16 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -0,0 +1,137 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # Special cases and very specific rules + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + topic: "$4" + partition: "$5" + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + broker: "$4:$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_tls_info + type: GAUGE + labels: + cipher: "$2" + protocol: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_software + type: GAUGE + labels: + clientSoftwareName: "$2" + clientSoftwareVersion: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: "kafka.server<>(.+):" + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + - pattern: kafka.server<>(.+) + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + # Some percent metrics use MeanRate attribute + # Ex) kafka.server<>MeanRate + - pattern: kafka.(\w+)<>MeanRate + name: kafka_$1_$2_$3_percent + type: GAUGE + # Generic gauges for percents + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + labels: + "$4": "$5" + # Generic per-second counters with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + # Generic gauges with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's. + # Note that these are missing the '_sum' metric! + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + quantile: "0.$8" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + quantile: "0.$6" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + quantile: "0.$4" \ No newline at end of file diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml new file mode 100644 index 0000000000..6a1eab7825 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -0,0 +1,44 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # replicated Zookeeper + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$2" + type: GAUGE + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$3" + type: GAUGE + labels: + replicaId: "$2" + - pattern: "org.apache.ZooKeeperService<>(Packets\\w+)" + name: "zookeeper_$4" + type: COUNTER + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4_$5" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" \ No newline at end of file diff --git a/kubernetes/strimzi/templates/configmap.yaml b/kubernetes/strimzi/templates/configmap.yaml new file mode 100644 index 0000000000..ace51f78ba --- /dev/null +++ b/kubernetes/strimzi/templates/configmap.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/metrics/*").AsConfig . | nindent 2 }} +{{ end }} diff --git a/kubernetes/strimzi/templates/ingress.yaml b/kubernetes/strimzi/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/strimzi/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/strimzi/templates/kafka-rebalance.yaml b/kubernetes/strimzi/templates/kafka-rebalance.yaml new file mode 100644 index 0000000000..6d5f143220 --- /dev/null +++ b/kubernetes/strimzi/templates/kafka-rebalance.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.cruiseControl.kafkaRebalance.enabled }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaRebalance +metadata: + name: {{ include "common.fullname" . }}-kafka-rebalance + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: {} +{{- end }} diff --git a/kubernetes/strimzi/templates/pod-monitor.yaml b/kubernetes/strimzi/templates/pod-monitor.yaml new file mode 100644 index 0000000000..be288a4d75 --- /dev/null +++ b/kubernetes/strimzi/templates/pod-monitor.yaml @@ -0,0 +1,45 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.fullname" . }}-podmonitor + ## podMonitor labels for prometheus to pick up the podMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor + ## + # labels: + # prometheus: kube-prometheus + labels: {{- toYaml $.Values.metrics.podMonitor.labels | nindent 4 }} +spec: + selector: + matchLabels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi + podMetricsEndpoints: + - port: {{ .Values.metrics.podMonitor.port }} + {{- if .Values.metrics.podMonitor.relabelings }} + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + relabelings: {{- toYaml .Values.metrics.podMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.podMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + {{- end }} +{{- end }} diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml index c1bf4b8b14..4532777f9e 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -22,10 +22,3 @@ metadata: spec: authentication: type: {{ .Values.config.saslMechanism }} - authorization: - type: {{ .Values.config.authType }} - acls: - - resource: - type: group - name: onap-group - operation: Read \ No newline at end of file diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index b35485f11c..aee4696fe0 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -35,29 +35,56 @@ spec: type: tls - name: external port: 9094 - type: nodeport - tls: true + type: {{ if (include "common.ingressEnabled" .) }}cluster-ip{{ else }}nodeport{{ end }} + tls: {{ if (include "common.ingressEnabled" .) }}false{{ else }}true{{ end }} authentication: - type: tls + type: {{ if (include "common.ingressEnabled" .) }}{{ .Values.config.saslMechanism }}{{ else }}tls{{ end }} configuration: + {{- if not (include "common.ingressEnabled" .) }} bootstrap: nodePort: {{ .Values.global.nodePortPrefixExt }}93 + {{- end }} brokers: - broker: 0 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker0 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}90 + {{- end }} - broker: 1 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker1 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}91 + {{- end }} - broker: 2 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker2 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}92 + {{- end }} authorization: type: {{ .Values.config.authType }} superUsers: - {{ .Values.config.strimziKafkaAdminUser }} template: pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: runAsUser: 0 fsGroup: 0 + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-kafka + topologyKey: "kubernetes.io/hostname" + {{- end }} config: default.replication.factor: {{ .Values.replicaCount }} min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} @@ -67,6 +94,7 @@ spec: transaction.state.log.min.isr: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} log.message.format.version: {{ .Values.config.kafkaVersion }} inter.broker.protocol.version: {{ .Values.config.kafkaVersion }} + auto.create.topics.enable: {{ .Values.config.autoCreateTopics }} storage: type: jbod volumes: @@ -75,12 +103,33 @@ spec: size: {{ .Values.persistence.kafka.size }} deleteClaim: true class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} + {{- if .Values.metrics.kafkaExporter.enabled }} + metricsConfig: + type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: kafka-metrics-config.yml + {{- end }} zookeeper: template: pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: runAsUser: 0 fsGroup: 0 + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-zookeeper + topologyKey: "kubernetes.io/hostname" + {{- end }} replicas: {{ .Values.replicaCount }} config: ssl.hostnameVerification: false @@ -93,7 +142,52 @@ spec: size: {{ .Values.persistence.zookeeper.size }} deleteClaim: true class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} + {{- if .Values.metrics.kafkaExporter.enabled }} + metricsConfig: + type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: zookeeper-metrics-config.yml + {{- end }} entityOperator: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} topicOperator: {} userOperator: {} - + {{- if .Values.cruiseControl.enabled }} + cruiseControl: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + metricsConfig: + type: {{ .Values.cruiseControl.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: cruisecontrol-metrics-config.yml + {{- end }} + {{- if .Values.metrics.kafkaExporter.enabled }} + kafkaExporter: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} + groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} + resources: + requests: + cpu: {{ .Values.metrics.kafkaExporter.resources.requests.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.requests.memory }} + limits: + cpu: {{ .Values.metrics.kafkaExporter.resources.limits.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.limits.memory }} + logging: {{ .Values.metrics.kafkaExporter.logging }} + enableSaramaLogging: {{ .Values.metrics.kafkaExporter.enableSaramaLogging }} + readinessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.timeoutSeconds }} + livenessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.timeoutSeconds }} + {{- end }} diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index e6da1d55db..3cced3e41a 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -19,16 +19,30 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + ingress: + virtualhost: + baseurl: &baseurl "simpledemo.onap.org" + preaddr: &preaddr "" + postaddr: &postaddr "" + ################################################################# # Application configuration defaults. ################################################################# replicaCount: 3 +affinity: + podAntiAffinity: + enabled: true config: - kafkaVersion: 3.2.3 + kafkaVersion: 3.7.0 authType: simple saslMechanism: &saslMech scram-sha-512 kafkaInternalPort: &plainPort 9092 strimziKafkaAdminUser: &adminUser strimzi-kafka-admin + advertisedHost: kafka-api.simpledemo.onap.org + advertizedPortBroker0: &advertizedPortBroker0 9000 + advertizedPortBroker1: &advertizedPortBroker1 9001 + advertizedPortBroker2: &advertizedPortBroker2 9002 + autoCreateTopics: true persistence: enabled: &pvenabled true @@ -56,6 +70,78 @@ serviceAccount: roles: - read +ingress: + enabled: false + service: + - baseaddr: "kafka-bootstrap-api" + name: "onap-strimzi-kafka-external-bootstrap" + port: 9094 + protocol: tcp + exposedPort: 9010 + exposedProtocol: TLS + - baseaddr: "kafka-api" + tcpRoutes: + - name: "onap-strimzi-kafka-0" + port: 9094 + exposedPort: *advertizedPortBroker0 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-1" + port: 9094 + exposedPort: *advertizedPortBroker1 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-2" + port: 9094 + exposedPort: *advertizedPortBroker2 + exposedProtocol: TLS + +# Kafka Exporter for metrics +metrics: + enabled: false + kafkaExporter: + enabled: false + metricsConfig: + type: jmxPrometheusExporter + topicRegex: ".*" + groupRegex: ".*" + resources: + requests: + cpu: "2" + memory: "600Mi" + limits: + cpu: "5" + memory: "1.5Gi" + logging: debug + enableSaramaLogging: true + readinessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + livenessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + podMonitor: + # Prometheus pre requisite. Currently an optional addon in the OOM docs + enabled: false + # default port for strimzi metrics + port: "tcp-prometheus" + # podMonitor labels for prometheus to pick up the podMonitor + # dummy value + labels: + release: dummy + relabelings: [] + metricRelabelings: [] + +cruiseControl: +## Cruise Control provides a Kafka metrics reporter implementation +## once installed into the Kafka brokers, filters and records a wide range of metrics provided by the brokers themselves. +## pre requisite is having 2 or more broker nodes + enabled: false + metricsConfig: + type: jmxPrometheusExporter + ## Custom resource for Kafka that can rebalance your cluster + # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ + kafkaRebalance: + enabled: false + ###################### # Component overrides ###################### @@ -64,4 +150,4 @@ strimzi-kafka-bridge: config: saslMechanism: *saslMech kafkaInternalPort: *plainPort - strimziKafkaAdminUser: *adminUser \ No newline at end of file + strimziKafkaAdminUser: *adminUser diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 6acf6f2e4d..7c4a5b78ca 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -18,27 +18,24 @@ apiVersion: v2 description: ONAP uui name: uui -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: uui-server - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/uui-server' - name: uui-nlp - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/uui-nlp' - name: uui-intent-analysis - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/uui-intent-analysis' diff --git a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml index 89b67993e4..bd1f6eedab 100644 --- a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml @@ -15,21 +15,21 @@ apiVersion: v2 description: ONAP uui intent analysis name: uui-intent-analysis -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql index ac3eaf0fed..323deef209 100644 --- a/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql +++ b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql @@ -21,7 +21,8 @@ CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; create table if not exists intent( intent_id varchar(255) primary key, - intent_name varchar(255) + intent_name varchar(255), + intent_generateType VARCHAR (225) ); create table if not exists expectation( @@ -89,3 +90,21 @@ create table if not exists intent_management_function_reg_info( handle_name varchar(255), intent_function_type varchar(255) ); + +create table if not exists intent_event_record( + id varchar(255) DEFAULT uuid_generate_v4 (), + intent_id varchar(255), + intent_name varchar(255), + intent_status varchar (225), + operate_type varchar (225), + parent_id varchar(255) + ); + +-- ---------------------------- +-- Records of intent_management_function_reg_info +-- ---------------------------- + +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLBusinessId','CLLBusiness','CLLBUSINESS',null,'CREATE,DELETE,UPDATE,SEARCH','CLLBusinessIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLBusinessId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLDeliveryId','CLLDelivery','CLLBUSINESS,DELIVERY',null,'CREATE,DELETE,UPDATE,SEARCH','CLLDeliveryIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLDeliveryId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLAssuranceId','CLLAssurance','CLLBUSINESS,ASSURANCE',null,'CREATE,DELETE,UPDATE,SEARCH','CLLAssuranceIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLAssuranceId' ) + diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml index 91d96c232f..d2824d1bbb 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml @@ -54,8 +54,7 @@ spec: port: {{ .Values.readiness.port }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end }} @@ -72,5 +71,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml index edcf3fe09f..9c499132a9 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml @@ -37,8 +37,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -48,6 +48,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -66,8 +73,9 @@ spec: - name: init-data mountPath: /aaa/init/intent-analysis-init.sql subPath: intent-analysis-init.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index 65cc4004bb..c638303d86 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -40,7 +40,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-intent-analysis:5.1.1 +image: onap/usecase-ui-intent-analysis:5.2.4 pullPolicy: Always # flag to enable debugging - application support required @@ -90,8 +90,12 @@ postgres: readinessCheck: wait_for: - containers: - - *postgresName + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -106,16 +110,17 @@ readinessCheck: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 250Mi + cpu: "1" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "4" + memory: "2Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "2" + memory: "1Gi" unlimited: {} + diff --git a/kubernetes/uui/components/uui-nlp/Chart.yaml b/kubernetes/uui/components/uui-nlp/Chart.yaml index 3d7bd08f29..681b7bc90c 100644 --- a/kubernetes/uui/components/uui-nlp/Chart.yaml +++ b/kubernetes/uui/components/uui-nlp/Chart.yaml @@ -20,15 +20,15 @@ apiVersion: v2 description: ONAP UUI NLP name: uui-nlp -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml index e72ee448c6..8ef27920b6 100644 --- a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml @@ -57,6 +57,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml index 8f87c68f1e..1471cb1d75 100644 --- a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-nlp/values.yaml b/kubernetes/uui/components/uui-nlp/values.yaml index b8c4b2fa69..cdfa50e3c0 100644 --- a/kubernetes/uui/components/uui-nlp/values.yaml +++ b/kubernetes/uui/components/uui-nlp/values.yaml @@ -19,7 +19,7 @@ global: pullPolicy: Always persistence: {} -image: onap/usecase-ui-nlp:1.0.3 +image: onap/usecase-ui-nlp:1.0.5 uui-nlp: enabled: true @@ -81,16 +81,16 @@ securityContext: resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/uui/components/uui-server/Chart.yaml b/kubernetes/uui/components/uui-server/Chart.yaml index a93cb669ba..82e395ed45 100644 --- a/kubernetes/uui/components/uui-server/Chart.yaml +++ b/kubernetes/uui/components/uui-server/Chart.yaml @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP uui server name: uui-server -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/uui/components/uui-server/resources/config/application.properties b/kubernetes/uui/components/uui-server/resources/config/application.properties index ee531dc741..36308c0313 100644 --- a/kubernetes/uui/components/uui-server/resources/config/application.properties +++ b/kubernetes/uui/components/uui-server/resources/config/application.properties @@ -46,8 +46,3 @@ logging.level.*=INFO #enable shutdown endpoints.shutdown.enabled=true endpoints.shutdown.sensitive=false - -server.ssl.protocol=TLS -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-type=PKCS12 diff --git a/kubernetes/uui/components/uui-server/templates/deployment.yaml b/kubernetes/uui/components/uui-server/templates/deployment.yaml index 13b8774f47..ae08054d88 100644 --- a/kubernetes/uui/components/uui-server/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-server/templates/deployment.yaml @@ -22,12 +22,11 @@ spec: selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - {{- include "common.templateMetadata" . | nindent 6 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: @@ -52,8 +51,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -63,6 +62,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -72,10 +78,8 @@ spec: args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) bash /uui/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -104,7 +108,7 @@ spec: value: --spring.config.location=file:/config/application.properties - name: POSTGRES_DB_NAME value: {{ .Values.postgres.config.pgDatabase }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /uui/run.sh name: entrypoint subPath: run.sh @@ -122,6 +126,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0755 - {{ include "common.certInitializer.volumes" . | nindent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-server/templates/ingress.yaml b/kubernetes/uui/components/uui-server/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/components/uui-server/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-server/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-server/templates/job.yaml b/kubernetes/uui/components/uui-server/templates/job.yaml index 73bde037de..e995c58a16 100644 --- a/kubernetes/uui/components/uui-server/templates/job.yaml +++ b/kubernetes/uui/components/uui-server/templates/job.yaml @@ -29,8 +29,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -40,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -58,10 +65,10 @@ spec: - name: init-data mountPath: /aaa/init/postgres.sql subPath: postgres.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: name: {{ include "common.fullname" . }} - diff --git a/kubernetes/uui/components/uui-server/templates/service.yaml b/kubernetes/uui/components/uui-server/templates/service.yaml index 157dac396d..fd6a25408d 100644 --- a/kubernetes/uui/components/uui-server/templates/service.yaml +++ b/kubernetes/uui/components/uui-server/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,40 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-server", - "version": "v1", - "url": "/api/usecaseui-server/v1", - "protocol": "REST", - "port": "{{.Values.service.internalPort}}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 44f4399d10..d1bc3379d0 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -20,7 +20,7 @@ # Global configuration defaults. ################################################################# global: - uuiPortPrefix: 303 + nodePortPrefix: 302 secrets: - uid: pg-root-pass @@ -37,46 +37,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: uui-server-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_p12}" \ - -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - - ################################################################# # Application configuration defaults. ################################################################# @@ -88,12 +48,12 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:5.1.3 +image: onap/usecase-ui-server:5.2.2 pullPolicy: Always # application configuration -msbaddr: msb-iag.{{include "common.namespace" .}}:443 +msbaddr: msb-iag.{{include "common.namespace" .}}:80 mraddr: message-router.{{include "common.namespace" .}}:3904 # application configuration override for postgres @@ -143,18 +103,33 @@ readiness: service: type: NodePort name: uui-server - portName: http internalPort: 8082 - nodePort: 99 + nodePortPrefixOverride: 303 + ports: + - name: http + port: 8082 + nodePort: '99' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "usecaseui-server", + "version": "v1", + "url": "/api/usecase-server/v1", + "path":"/iui/usecaseui", + "protocol": "REST", + "visualRange":"1", + "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}", + "enable_ssl": false + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: uui-server-api + - baseaddr: "uui-server-api" name: "uui-server" port: 8082 - config: - ssl: "redirect" # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -169,18 +144,18 @@ ingress: resources: small: limits: - cpu: 1.5 - memory: 350Mi + cpu: "1.5" + memory: "2Gi" requests: - cpu: 1 - memory: 245Mi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 500Mi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 500Mi + cpu: "1" + memory: "2Gi" unlimited: {} serviceAccount: @@ -190,4 +165,8 @@ serviceAccount: securityContext: user_id: 100 - group_id: 655533 \ No newline at end of file + group_id: 655533 + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' diff --git a/kubernetes/uui/resources/config/server.xml b/kubernetes/uui/resources/config/server.xml index 275fcd8b14..f464074769 100644 --- a/kubernetes/uui/resources/config/server.xml +++ b/kubernetes/uui/resources/config/server.xml @@ -24,7 +24,7 @@ --> - + @@ -61,11 +61,7 @@ APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> - - - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + org.apache.catalina.servlets.DefaultServlet + + debug + 0 + + + listings + false + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jsp + org.apache.jasper.servlet.JspServlet + + fork + false + + + xpoweredBy + false + + 3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + / + + + + + jsp + *.jsp + *.jspx + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 30 + + + + + + + + + + + + + 123 + application/vnd.lotus-1-2-3 + + + 3dml + text/vnd.in3d.3dml + + + 3ds + image/x-3ds + + + 3g2 + video/3gpp2 + + + 3gp + video/3gpp + + + 7z + application/x-7z-compressed + + + aab + application/x-authorware-bin + + + aac + audio/x-aac + + + aam + application/x-authorware-map + + + aas + application/x-authorware-seg + + + abs + audio/x-mpeg + + + abw + application/x-abiword + + + ac + application/pkix-attr-cert + + + acc + application/vnd.americandynamics.acc + + + ace + application/x-ace-compressed + + + acu + application/vnd.acucobol + + + acutc + application/vnd.acucorp + + + adp + audio/adpcm + + + aep + application/vnd.audiograph + + + afm + application/x-font-type1 + + + afp + application/vnd.ibm.modcap + + + ahead + application/vnd.ahead.space + + + ai + application/postscript + + + aif + audio/x-aiff + + + aifc + audio/x-aiff + + + aiff + audio/x-aiff + + + aim + application/x-aim + + + air + application/vnd.adobe.air-application-installer-package+zip + + + ait + application/vnd.dvb.ait + + + ami + application/vnd.amiga.ami + + + anx + application/annodex + + + apk + application/vnd.android.package-archive + + + appcache + text/cache-manifest + + + application + application/x-ms-application + + + apr + application/vnd.lotus-approach + + + arc + application/x-freearc + + + art + image/x-jg + + + asc + application/pgp-signature + + + asf + video/x-ms-asf + + + asm + text/x-asm + + + aso + application/vnd.accpac.simply.aso + + + asx + video/x-ms-asf + + + atc + application/vnd.acucorp + + + atom + application/atom+xml + + + atomcat + application/atomcat+xml + + + atomsvc + application/atomsvc+xml + + + atx + application/vnd.antix.game-component + + + au + audio/basic + + + avi + video/x-msvideo + + + avx + video/x-rad-screenplay + + + aw + application/applixware + + + axa + audio/annodex + + + axv + video/annodex + + + azf + application/vnd.airzip.filesecure.azf + + + azs + application/vnd.airzip.filesecure.azs + + + azw + application/vnd.amazon.ebook + + + bat + application/x-msdownload + + + bcpio + application/x-bcpio + + + bdf + application/x-font-bdf + + + bdm + application/vnd.syncml.dm+wbxml + + + bed + application/vnd.realvnc.bed + + + bh2 + application/vnd.fujitsu.oasysprs + + + bin + application/octet-stream + + + blb + application/x-blorb + + + blorb + application/x-blorb + + + bmi + application/vnd.bmi + + + bmp + image/bmp + + + body + text/html + + + book + application/vnd.framemaker + + + box + application/vnd.previewsystems.box + + + boz + application/x-bzip2 + + + bpk + application/octet-stream + + + btif + image/prs.btif + + + bz + application/x-bzip + + + bz2 + application/x-bzip2 + + + c + text/x-c + + + c11amc + application/vnd.cluetrust.cartomobile-config + + + c11amz + application/vnd.cluetrust.cartomobile-config-pkg + + + c4d + application/vnd.clonk.c4group + + + c4f + application/vnd.clonk.c4group + + + c4g + application/vnd.clonk.c4group + + + c4p + application/vnd.clonk.c4group + + + c4u + application/vnd.clonk.c4group + + + cab + application/vnd.ms-cab-compressed + + + caf + audio/x-caf + + + cap + application/vnd.tcpdump.pcap + + + car + application/vnd.curl.car + + + cat + application/vnd.ms-pki.seccat + + + cb7 + application/x-cbr + + + cba + application/x-cbr + + + cbr + application/x-cbr + + + cbt + application/x-cbr + + + cbz + application/x-cbr + + + cc + text/x-c + + + cct + application/x-director + + + ccxml + application/ccxml+xml + + + cdbcmsg + application/vnd.contact.cmsg + + + cdf + application/x-cdf + + + cdkey + application/vnd.mediastation.cdkey + + + cdmia + application/cdmi-capability + + + cdmic + application/cdmi-container + + + cdmid + application/cdmi-domain + + + cdmio + application/cdmi-object + + + cdmiq + application/cdmi-queue + + + cdx + chemical/x-cdx + + + cdxml + application/vnd.chemdraw+xml + + + cdy + application/vnd.cinderella + + + cer + application/pkix-cert + + + cfs + application/x-cfs-compressed + + + cgm + image/cgm + + + chat + application/x-chat + + + chm + application/vnd.ms-htmlhelp + + + chrt + application/vnd.kde.kchart + + + cif + chemical/x-cif + + + cii + application/vnd.anser-web-certificate-issue-initiation + + + cil + application/vnd.ms-artgalry + + + cla + application/vnd.claymore + + + class + application/java + + + clkk + application/vnd.crick.clicker.keyboard + + + clkp + application/vnd.crick.clicker.palette + + + clkt + application/vnd.crick.clicker.template + + + clkw + application/vnd.crick.clicker.wordbank + + + clkx + application/vnd.crick.clicker + + + clp + application/x-msclip + + + cmc + application/vnd.cosmocaller + + + cmdf + chemical/x-cmdf + + + cml + chemical/x-cml + + + cmp + application/vnd.yellowriver-custom-menu + + + cmx + image/x-cmx + + + cod + application/vnd.rim.cod + + + com + application/x-msdownload + + + conf + text/plain + + + cpio + application/x-cpio + + + cpp + text/x-c + + + cpt + application/mac-compactpro + + + crd + application/x-mscardfile + + + crl + application/pkix-crl + + + crt + application/x-x509-ca-cert + + + cryptonote + application/vnd.rig.cryptonote + + + csh + application/x-csh + + + csml + chemical/x-csml + + + csp + application/vnd.commonspace + + + css + text/css + + + cst + application/x-director + + + csv + text/csv + + + cu + application/cu-seeme + + + curl + text/vnd.curl + + + cww + application/prs.cww + + + cxt + application/x-director + + + cxx + text/x-c + + + dae + model/vnd.collada+xml + + + daf + application/vnd.mobius.daf + + + dart + application/vnd.dart + + + dataless + application/vnd.fdsn.seed + + + davmount + application/davmount+xml + + + dbk + application/docbook+xml + + + dcr + application/x-director + + + dcurl + text/vnd.curl.dcurl + + + dd2 + application/vnd.oma.dd2+xml + + + ddd + application/vnd.fujixerox.ddd + + + deb + application/x-debian-package + + + def + text/plain + + + deploy + application/octet-stream + + + der + application/x-x509-ca-cert + + + dfac + application/vnd.dreamfactory + + + dgc + application/x-dgc-compressed + + + dib + image/bmp + + + dic + text/x-c + + + dir + application/x-director + + + dis + application/vnd.mobius.dis + + + dist + application/octet-stream + + + distz + application/octet-stream + + + djv + image/vnd.djvu + + + djvu + image/vnd.djvu + + + dll + application/x-msdownload + + + dmg + application/x-apple-diskimage + + + dmp + application/vnd.tcpdump.pcap + + + dms + application/octet-stream + + + dna + application/vnd.dna + + + doc + application/msword + + + docm + application/vnd.ms-word.document.macroenabled.12 + + + docx + application/vnd.openxmlformats-officedocument.wordprocessingml.document + + + dot + application/msword + + + dotm + application/vnd.ms-word.template.macroenabled.12 + + + dotx + application/vnd.openxmlformats-officedocument.wordprocessingml.template + + + dp + application/vnd.osgi.dp + + + dpg + application/vnd.dpgraph + + + dra + audio/vnd.dra + + + dsc + text/prs.lines.tag + + + dssc + application/dssc+der + + + dtb + application/x-dtbook+xml + + + dtd + application/xml-dtd + + + dts + audio/vnd.dts + + + dtshd + audio/vnd.dts.hd + + + dump + application/octet-stream + + + dv + video/x-dv + + + dvb + video/vnd.dvb.file + + + dvi + application/x-dvi + + + dwf + model/vnd.dwf + + + dwg + image/vnd.dwg + + + dxf + image/vnd.dxf + + + dxp + application/vnd.spotfire.dxp + + + dxr + application/x-director + + + ecelp4800 + audio/vnd.nuera.ecelp4800 + + + ecelp7470 + audio/vnd.nuera.ecelp7470 + + + ecelp9600 + audio/vnd.nuera.ecelp9600 + + + ecma + application/ecmascript + + + edm + application/vnd.novadigm.edm + + + edx + application/vnd.novadigm.edx + + + efif + application/vnd.picsel + + + ei6 + application/vnd.pg.osasli + + + elc + application/octet-stream + + + emf + application/x-msmetafile + + + eml + message/rfc822 + + + emma + application/emma+xml + + + emz + application/x-msmetafile + + + eol + audio/vnd.digital-winds + + + eot + application/vnd.ms-fontobject + + + eps + application/postscript + + + epub + application/epub+zip + + + es3 + application/vnd.eszigno3+xml + + + esa + application/vnd.osgi.subsystem + + + esf + application/vnd.epson.esf + + + et3 + application/vnd.eszigno3+xml + + + etx + text/x-setext + + + eva + application/x-eva + + + evy + application/x-envoy + + + exe + application/octet-stream + + + exi + application/exi + + + ext + application/vnd.novadigm.ext + + + ez + application/andrew-inset + + + ez2 + application/vnd.ezpix-album + + + ez3 + application/vnd.ezpix-package + + + f + text/x-fortran + + + f4v + video/x-f4v + + + f77 + text/x-fortran + + + f90 + text/x-fortran + + + fbs + image/vnd.fastbidsheet + + + fcdt + application/vnd.adobe.formscentral.fcdt + + + fcs + application/vnd.isac.fcs + + + fdf + application/vnd.fdf + + + fe_launch + application/vnd.denovo.fcselayout-link + + + fg5 + application/vnd.fujitsu.oasysgp + + + fgd + application/x-director + + + fh + image/x-freehand + + + fh4 + image/x-freehand + + + fh5 + image/x-freehand + + + fh7 + image/x-freehand + + + fhc + image/x-freehand + + + fig + application/x-xfig + + + flac + audio/flac + + + fli + video/x-fli + + + flo + application/vnd.micrografx.flo + + + flv + video/x-flv + + + flw + application/vnd.kde.kivio + + + flx + text/vnd.fmi.flexstor + + + fly + text/vnd.fly + + + fm + application/vnd.framemaker + + + fnc + application/vnd.frogans.fnc + + + for + text/x-fortran + + + fpx + image/vnd.fpx + + + frame + application/vnd.framemaker + + + fsc + application/vnd.fsc.weblaunch + + + fst + image/vnd.fst + + + ftc + application/vnd.fluxtime.clip + + + fti + application/vnd.anser-web-funds-transfer-initiation + + + fvt + video/vnd.fvt + + + fxp + application/vnd.adobe.fxp + + + fxpl + application/vnd.adobe.fxp + + + fzs + application/vnd.fuzzysheet + + + g2w + application/vnd.geoplan + + + g3 + image/g3fax + + + g3w + application/vnd.geospace + + + gac + application/vnd.groove-account + + + gam + application/x-tads + + + gbr + application/rpki-ghostbusters + + + gca + application/x-gca-compressed + + + gdl + model/vnd.gdl + + + geo + application/vnd.dynageo + + + gex + application/vnd.geometry-explorer + + + ggb + application/vnd.geogebra.file + + + ggt + application/vnd.geogebra.tool + + + ghf + application/vnd.groove-help + + + gif + image/gif + + + gim + application/vnd.groove-identity-message + + + gml + application/gml+xml + + + gmx + application/vnd.gmx + + + gnumeric + application/x-gnumeric + + + gph + application/vnd.flographit + + + gpx + application/gpx+xml + + + gqf + application/vnd.grafeq + + + gqs + application/vnd.grafeq + + + gram + application/srgs + + + gramps + application/x-gramps-xml + + + gre + application/vnd.geometry-explorer + + + grv + application/vnd.groove-injector + + + grxml + application/srgs+xml + + + gsf + application/x-font-ghostscript + + + gtar + application/x-gtar + + + gtm + application/vnd.groove-tool-message + + + gtw + model/vnd.gtw + + + gv + text/vnd.graphviz + + + gxf + application/gxf + + + gxt + application/vnd.geonext + + + gz + application/x-gzip + + + h + text/x-c + + + h261 + video/h261 + + + h263 + video/h263 + + + h264 + video/h264 + + + hal + application/vnd.hal+xml + + + hbci + application/vnd.hbci + + + hdf + application/x-hdf + + + hh + text/x-c + + + hlp + application/winhlp + + + hpgl + application/vnd.hp-hpgl + + + hpid + application/vnd.hp-hpid + + + hps + application/vnd.hp-hps + + + hqx + application/mac-binhex40 + + + htc + text/x-component + + + htke + application/vnd.kenameaapp + + + htm + text/html + + + html + text/html + + + hvd + application/vnd.yamaha.hv-dic + + + hvp + application/vnd.yamaha.hv-voice + + + hvs + application/vnd.yamaha.hv-script + + + i2g + application/vnd.intergeo + + + icc + application/vnd.iccprofile + + + ice + x-conference/x-cooltalk + + + icm + application/vnd.iccprofile + + + ico + image/x-icon + + + ics + text/calendar + + + ief + image/ief + + + ifb + text/calendar + + + ifm + application/vnd.shana.informed.formdata + + + iges + model/iges + + + igl + application/vnd.igloader + + + igm + application/vnd.insors.igm + + + igs + model/iges + + + igx + application/vnd.micrografx.igx + + + iif + application/vnd.shana.informed.interchange + + + imp + application/vnd.accpac.simply.imp + + + ims + application/vnd.ms-ims + + + in + text/plain + + + ink + application/inkml+xml + + + inkml + application/inkml+xml + + + install + application/x-install-instructions + + + iota + application/vnd.astraea-software.iota + + + ipfix + application/ipfix + + + ipk + application/vnd.shana.informed.package + + + irm + application/vnd.ibm.rights-management + + + irp + application/vnd.irepository.package+xml + + + iso + application/x-iso9660-image + + + itp + application/vnd.shana.informed.formtemplate + + + ivp + application/vnd.immervision-ivp + + + ivu + application/vnd.immervision-ivu + + + jad + text/vnd.sun.j2me.app-descriptor + + + jam + application/vnd.jam + + + jar + application/java-archive + + + java + text/x-java-source + + + jisp + application/vnd.jisp + + + jlt + application/vnd.hp-jlyt + + + jnlp + application/x-java-jnlp-file + + + joda + application/vnd.joost.joda-archive + + + jpe + image/jpeg + + + jpeg + image/jpeg + + + jpg + image/jpeg + + + jpgm + video/jpm + + + jpgv + video/jpeg + + + jpm + video/jpm + + + js + application/javascript + + + jsf + text/plain + + + json + application/json + + + jsonml + application/jsonml+json + + + jspf + text/plain + + + kar + audio/midi + + + karbon + application/vnd.kde.karbon + + + kfo + application/vnd.kde.kformula + + + kia + application/vnd.kidspiration + + + kml + application/vnd.google-earth.kml+xml + + + kmz + application/vnd.google-earth.kmz + + + kne + application/vnd.kinar + + + knp + application/vnd.kinar + + + kon + application/vnd.kde.kontour + + + kpr + application/vnd.kde.kpresenter + + + kpt + application/vnd.kde.kpresenter + + + kpxx + application/vnd.ds-keypoint + + + ksp + application/vnd.kde.kspread + + + ktr + application/vnd.kahootz + + + ktx + image/ktx + + + ktz + application/vnd.kahootz + + + kwd + application/vnd.kde.kword + + + kwt + application/vnd.kde.kword + + + lasxml + application/vnd.las.las+xml + + + latex + application/x-latex + + + lbd + application/vnd.llamagraphics.life-balance.desktop + + + lbe + application/vnd.llamagraphics.life-balance.exchange+xml + + + les + application/vnd.hhe.lesson-player + + + lha + application/x-lzh-compressed + + + link66 + application/vnd.route66.link66+xml + + + list + text/plain + + + list3820 + application/vnd.ibm.modcap + + + listafp + application/vnd.ibm.modcap + + + lnk + application/x-ms-shortcut + + + log + text/plain + + + lostxml + application/lost+xml + + + lrf + application/octet-stream + + + lrm + application/vnd.ms-lrm + + + ltf + application/vnd.frogans.ltf + + + lvp + audio/vnd.lucent.voice + + + lwp + application/vnd.lotus-wordpro + + + lzh + application/x-lzh-compressed + + + m13 + application/x-msmediaview + + + m14 + application/x-msmediaview + + + m1v + video/mpeg + + + m21 + application/mp21 + + + m2a + audio/mpeg + + + m2v + video/mpeg + + + m3a + audio/mpeg + + + m3u + audio/x-mpegurl + + + m3u8 + application/vnd.apple.mpegurl + + + m4a + audio/mp4 + + + m4b + audio/mp4 + + + m4r + audio/mp4 + + + m4u + video/vnd.mpegurl + + + m4v + video/mp4 + + + ma + application/mathematica + + + mac + image/x-macpaint + + + mads + application/mads+xml + + + mag + application/vnd.ecowin.chart + + + maker + application/vnd.framemaker + + + man + text/troff + + + mar + application/octet-stream + + + mathml + application/mathml+xml + + + mb + application/mathematica + + + mbk + application/vnd.mobius.mbk + + + mbox + application/mbox + + + mc1 + application/vnd.medcalcdata + + + mcd + application/vnd.mcd + + + mcurl + text/vnd.curl.mcurl + + + mdb + application/x-msaccess + + + mdi + image/vnd.ms-modi + + + me + text/troff + + + mesh + model/mesh + + + meta4 + application/metalink4+xml + + + metalink + application/metalink+xml + + + mets + application/mets+xml + + + mfm + application/vnd.mfmp + + + mft + application/rpki-manifest + + + mgp + application/vnd.osgeo.mapguide.package + + + mgz + application/vnd.proteus.magazine + + + mid + audio/midi + + + midi + audio/midi + + + mie + application/x-mie + + + mif + application/x-mif + + + mime + message/rfc822 + + + mj2 + video/mj2 + + + mjp2 + video/mj2 + + + mk3d + video/x-matroska + + + mka + audio/x-matroska + + + mks + video/x-matroska + + + mkv + video/x-matroska + + + mlp + application/vnd.dolby.mlp + + + mmd + application/vnd.chipnuts.karaoke-mmd + + + mmf + application/vnd.smaf + + + mmr + image/vnd.fujixerox.edmics-mmr + + + mng + video/x-mng + + + mny + application/x-msmoney + + + mobi + application/x-mobipocket-ebook + + + mods + application/mods+xml + + + mov + video/quicktime + + + movie + video/x-sgi-movie + + + mp1 + audio/mpeg + + + mp2 + audio/mpeg + + + mp21 + application/mp21 + + + mp2a + audio/mpeg + + + mp3 + audio/mpeg + + + mp4 + video/mp4 + + + mp4a + audio/mp4 + + + mp4s + application/mp4 + + + mp4v + video/mp4 + + + mpa + audio/mpeg + + + mpc + application/vnd.mophun.certificate + + + mpe + video/mpeg + + + mpeg + video/mpeg + + + mpega + audio/x-mpeg + + + mpg + video/mpeg + + + mpg4 + video/mp4 + + + mpga + audio/mpeg + + + mpkg + application/vnd.apple.installer+xml + + + mpm + application/vnd.blueice.multipass + + + mpn + application/vnd.mophun.application + + + mpp + application/vnd.ms-project + + + mpt + application/vnd.ms-project + + + mpv2 + video/mpeg2 + + + mpy + application/vnd.ibm.minipay + + + mqy + application/vnd.mobius.mqy + + + mrc + application/marc + + + mrcx + application/marcxml+xml + + + ms + text/troff + + + mscml + application/mediaservercontrol+xml + + + mseed + application/vnd.fdsn.mseed + + + mseq + application/vnd.mseq + + + msf + application/vnd.epson.msf + + + msh + model/mesh + + + msi + application/x-msdownload + + + msl + application/vnd.mobius.msl + + + msty + application/vnd.muvee.style + + + mts + model/vnd.mts + + + mus + application/vnd.musician + + + musicxml + application/vnd.recordare.musicxml+xml + + + mvb + application/x-msmediaview + + + mwf + application/vnd.mfer + + + mxf + application/mxf + + + mxl + application/vnd.recordare.musicxml + + + mxml + application/xv+xml + + + mxs + application/vnd.triscape.mxs + + + mxu + video/vnd.mpegurl + + + n-gage + application/vnd.nokia.n-gage.symbian.install + + + n3 + text/n3 + + + nb + application/mathematica + + + nbp + application/vnd.wolfram.player + + + nc + application/x-netcdf + + + ncx + application/x-dtbncx+xml + + + nfo + text/x-nfo + + + ngdat + application/vnd.nokia.n-gage.data + + + nitf + application/vnd.nitf + + + nlu + application/vnd.neurolanguage.nlu + + + nml + application/vnd.enliven + + + nnd + application/vnd.noblenet-directory + + + nns + application/vnd.noblenet-sealer + + + nnw + application/vnd.noblenet-web + + + npx + image/vnd.net-fpx + + + nsc + application/x-conference + + + nsf + application/vnd.lotus-notes + + + ntf + application/vnd.nitf + + + nzb + application/x-nzb + + + oa2 + application/vnd.fujitsu.oasys2 + + + oa3 + application/vnd.fujitsu.oasys3 + + + oas + application/vnd.fujitsu.oasys + + + obd + application/x-msbinder + + + obj + application/x-tgif + + + oda + application/oda + + + + odb + application/vnd.oasis.opendocument.database + + + + odc + application/vnd.oasis.opendocument.chart + + + + odf + application/vnd.oasis.opendocument.formula + + + odft + application/vnd.oasis.opendocument.formula-template + + + + odg + application/vnd.oasis.opendocument.graphics + + + + odi + application/vnd.oasis.opendocument.image + + + + odm + application/vnd.oasis.opendocument.text-master + + + + odp + application/vnd.oasis.opendocument.presentation + + + + ods + application/vnd.oasis.opendocument.spreadsheet + + + + odt + application/vnd.oasis.opendocument.text + + + oga + audio/ogg + + + ogg + audio/ogg + + + ogv + video/ogg + + + + ogx + application/ogg + + + omdoc + application/omdoc+xml + + + onepkg + application/onenote + + + onetmp + application/onenote + + + onetoc + application/onenote + + + onetoc2 + application/onenote + + + opf + application/oebps-package+xml + + + opml + text/x-opml + + + oprc + application/vnd.palm + + + org + application/vnd.lotus-organizer + + + osf + application/vnd.yamaha.openscoreformat + + + osfpvg + application/vnd.yamaha.openscoreformat.osfpvg+xml + + + otc + application/vnd.oasis.opendocument.chart-template + + + otf + font/otf + + + + otg + application/vnd.oasis.opendocument.graphics-template + + + + oth + application/vnd.oasis.opendocument.text-web + + + oti + application/vnd.oasis.opendocument.image-template + + + + otp + application/vnd.oasis.opendocument.presentation-template + + + + ots + application/vnd.oasis.opendocument.spreadsheet-template + + + + ott + application/vnd.oasis.opendocument.text-template + + + oxps + application/oxps + + + oxt + application/vnd.openofficeorg.extension + + + p + text/x-pascal + + + p10 + application/pkcs10 + + + p12 + application/x-pkcs12 + + + p7b + application/x-pkcs7-certificates + + + p7c + application/pkcs7-mime + + + p7m + application/pkcs7-mime + + + p7r + application/x-pkcs7-certreqresp + + + p7s + application/pkcs7-signature + + + p8 + application/pkcs8 + + + pas + text/x-pascal + + + paw + application/vnd.pawaafile + + + pbd + application/vnd.powerbuilder6 + + + pbm + image/x-portable-bitmap + + + pcap + application/vnd.tcpdump.pcap + + + pcf + application/x-font-pcf + + + pcl + application/vnd.hp-pcl + + + pclxl + application/vnd.hp-pclxl + + + pct + image/pict + + + pcurl + application/vnd.curl.pcurl + + + pcx + image/x-pcx + + + pdb + application/vnd.palm + + + pdf + application/pdf + + + pfa + application/x-font-type1 + + + pfb + application/x-font-type1 + + + pfm + application/x-font-type1 + + + pfr + application/font-tdpfr + + + pfx + application/x-pkcs12 + + + pgm + image/x-portable-graymap + + + pgn + application/x-chess-pgn + + + pgp + application/pgp-encrypted + + + pic + image/pict + + + pict + image/pict + + + pkg + application/octet-stream + + + pki + application/pkixcmp + + + pkipath + application/pkix-pkipath + + + plb + application/vnd.3gpp.pic-bw-large + + + plc + application/vnd.mobius.plc + + + plf + application/vnd.pocketlearn + + + + pls + audio/x-scpls + + + pml + application/vnd.ctc-posml + + + png + image/png + + + pnm + image/x-portable-anymap + + + pnt + image/x-macpaint + + + portpkg + application/vnd.macports.portpkg + + + pot + application/vnd.ms-powerpoint + + + potm + application/vnd.ms-powerpoint.template.macroenabled.12 + + + potx + application/vnd.openxmlformats-officedocument.presentationml.template + + + ppam + application/vnd.ms-powerpoint.addin.macroenabled.12 + + + ppd + application/vnd.cups-ppd + + + ppm + image/x-portable-pixmap + + + pps + application/vnd.ms-powerpoint + + + ppsm + application/vnd.ms-powerpoint.slideshow.macroenabled.12 + + + ppsx + application/vnd.openxmlformats-officedocument.presentationml.slideshow + + + ppt + application/vnd.ms-powerpoint + + + pptm + application/vnd.ms-powerpoint.presentation.macroenabled.12 + + + pptx + application/vnd.openxmlformats-officedocument.presentationml.presentation + + + pqa + application/vnd.palm + + + prc + application/x-mobipocket-ebook + + + pre + application/vnd.lotus-freelance + + + prf + application/pics-rules + + + ps + application/postscript + + + psb + application/vnd.3gpp.pic-bw-small + + + psd + image/vnd.adobe.photoshop + + + psf + application/x-font-linux-psf + + + pskcxml + application/pskc+xml + + + ptid + application/vnd.pvi.ptid1 + + + pub + application/x-mspublisher + + + pvb + application/vnd.3gpp.pic-bw-var + + + pwn + application/vnd.3m.post-it-notes + + + pya + audio/vnd.ms-playready.media.pya + + + pyv + video/vnd.ms-playready.media.pyv + + + qam + application/vnd.epson.quickanime + + + qbo + application/vnd.intu.qbo + + + qfx + application/vnd.intu.qfx + + + qps + application/vnd.publishare-delta-tree + + + qt + video/quicktime + + + qti + image/x-quicktime + + + qtif + image/x-quicktime + + + qwd + application/vnd.quark.quarkxpress + + + qwt + application/vnd.quark.quarkxpress + + + qxb + application/vnd.quark.quarkxpress + + + qxd + application/vnd.quark.quarkxpress + + + qxl + application/vnd.quark.quarkxpress + + + qxt + application/vnd.quark.quarkxpress + + + ra + audio/x-pn-realaudio + + + ram + audio/x-pn-realaudio + + + rar + application/x-rar-compressed + + + ras + image/x-cmu-raster + + + rcprofile + application/vnd.ipunplugged.rcprofile + + + rdf + application/rdf+xml + + + rdz + application/vnd.data-vision.rdz + + + rep + application/vnd.businessobjects + + + res + application/x-dtbresource+xml + + + rgb + image/x-rgb + + + rif + application/reginfo+xml + + + rip + audio/vnd.rip + + + ris + application/x-research-info-systems + + + rl + application/resource-lists+xml + + + rlc + image/vnd.fujixerox.edmics-rlc + + + rld + application/resource-lists-diff+xml + + + rm + application/vnd.rn-realmedia + + + rmi + audio/midi + + + rmp + audio/x-pn-realaudio-plugin + + + rms + application/vnd.jcp.javame.midlet-rms + + + rmvb + application/vnd.rn-realmedia-vbr + + + rnc + application/relax-ng-compact-syntax + + + roa + application/rpki-roa + + + roff + text/troff + + + rp9 + application/vnd.cloanto.rp9 + + + rpss + application/vnd.nokia.radio-presets + + + rpst + application/vnd.nokia.radio-preset + + + rq + application/sparql-query + + + rs + application/rls-services+xml + + + rsd + application/rsd+xml + + + rss + application/rss+xml + + + rtf + application/rtf + + + rtx + text/richtext + + + s + text/x-asm + + + s3m + audio/s3m + + + saf + application/vnd.yamaha.smaf-audio + + + sbml + application/sbml+xml + + + sc + application/vnd.ibm.secure-container + + + scd + application/x-msschedule + + + scm + application/vnd.lotus-screencam + + + scq + application/scvp-cv-request + + + scs + application/scvp-cv-response + + + scurl + text/vnd.curl.scurl + + + sda + application/vnd.stardivision.draw + + + sdc + application/vnd.stardivision.calc + + + sdd + application/vnd.stardivision.impress + + + sdkd + application/vnd.solent.sdkm+xml + + + sdkm + application/vnd.solent.sdkm+xml + + + sdp + application/sdp + + + sdw + application/vnd.stardivision.writer + + + see + application/vnd.seemail + + + seed + application/vnd.fdsn.seed + + + sema + application/vnd.sema + + + semd + application/vnd.semd + + + semf + application/vnd.semf + + + ser + application/java-serialized-object + + + setpay + application/set-payment-initiation + + + setreg + application/set-registration-initiation + + + sfd-hdstx + application/vnd.hydrostatix.sof-data + + + sfs + application/vnd.spotfire.sfs + + + sfv + text/x-sfv + + + sgi + image/sgi + + + sgl + application/vnd.stardivision.writer-global + + + sgm + text/sgml + + + sgml + text/sgml + + + sh + application/x-sh + + + shar + application/x-shar + + + shf + application/shf+xml + + + + sid + image/x-mrsid-image + + + sig + application/pgp-signature + + + sil + audio/silk + + + silo + model/mesh + + + sis + application/vnd.symbian.install + + + sisx + application/vnd.symbian.install + + + sit + application/x-stuffit + + + sitx + application/x-stuffitx + + + skd + application/vnd.koan + + + skm + application/vnd.koan + + + skp + application/vnd.koan + + + skt + application/vnd.koan + + + sldm + application/vnd.ms-powerpoint.slide.macroenabled.12 + + + sldx + application/vnd.openxmlformats-officedocument.presentationml.slide + + + slt + application/vnd.epson.salt + + + sm + application/vnd.stepmania.stepchart + + + smf + application/vnd.stardivision.math + + + smi + application/smil+xml + + + smil + application/smil+xml + + + smv + video/x-smv + + + smzip + application/vnd.stepmania.package + + + snd + audio/basic + + + snf + application/x-font-snf + + + so + application/octet-stream + + + spc + application/x-pkcs7-certificates + + + spf + application/vnd.yamaha.smaf-phrase + + + spl + application/x-futuresplash + + + spot + text/vnd.in3d.spot + + + spp + application/scvp-vp-response + + + spq + application/scvp-vp-request + + + spx + audio/ogg + + + sql + application/x-sql + + + src + application/x-wais-source + + + srt + application/x-subrip + + + sru + application/sru+xml + + + srx + application/sparql-results+xml + + + ssdl + application/ssdl+xml + + + sse + application/vnd.kodak-descriptor + + + ssf + application/vnd.epson.ssf + + + ssml + application/ssml+xml + + + st + application/vnd.sailingtracker.track + + + stc + application/vnd.sun.xml.calc.template + + + std + application/vnd.sun.xml.draw.template + + + stf + application/vnd.wt.stf + + + sti + application/vnd.sun.xml.impress.template + + + stk + application/hyperstudio + + + stl + application/vnd.ms-pki.stl + + + str + application/vnd.pg.format + + + stw + application/vnd.sun.xml.writer.template + + + sub + text/vnd.dvb.subtitle + + + sus + application/vnd.sus-calendar + + + susp + application/vnd.sus-calendar + + + sv4cpio + application/x-sv4cpio + + + sv4crc + application/x-sv4crc + + + svc + application/vnd.dvb.service + + + svd + application/vnd.svd + + + svg + image/svg+xml + + + svgz + image/svg+xml + + + swa + application/x-director + + + swf + application/x-shockwave-flash + + + swi + application/vnd.aristanetworks.swi + + + sxc + application/vnd.sun.xml.calc + + + sxd + application/vnd.sun.xml.draw + + + sxg + application/vnd.sun.xml.writer.global + + + sxi + application/vnd.sun.xml.impress + + + sxm + application/vnd.sun.xml.math + + + sxw + application/vnd.sun.xml.writer + + + t + text/troff + + + t3 + application/x-t3vm-image + + + taglet + application/vnd.mynfc + + + tao + application/vnd.tao.intent-module-archive + + + tar + application/x-tar + + + tcap + application/vnd.3gpp2.tcap + + + tcl + application/x-tcl + + + teacher + application/vnd.smart.teacher + + + tei + application/tei+xml + + + teicorpus + application/tei+xml + + + tex + application/x-tex + + + texi + application/x-texinfo + + + texinfo + application/x-texinfo + + + text + text/plain + + + tfi + application/thraud+xml + + + tfm + application/x-tex-tfm + + + tga + image/x-tga + + + thmx + application/vnd.ms-officetheme + + + tif + image/tiff + + + tiff + image/tiff + + + tmo + application/vnd.tmobile-livetv + + + torrent + application/x-bittorrent + + + tpl + application/vnd.groove-tool-template + + + tpt + application/vnd.trid.tpt + + + tr + text/troff + + + tra + application/vnd.trueapp + + + trm + application/x-msterminal + + + tsd + application/timestamped-data + + + tsv + text/tab-separated-values + + + ttc + font/collection + + + ttf + font/ttf + + + ttl + text/turtle + + + twd + application/vnd.simtech-mindmapper + + + twds + application/vnd.simtech-mindmapper + + + txd + application/vnd.genomatix.tuxedo + + + txf + application/vnd.mobius.txf + + + txt + text/plain + + + u32 + application/x-authorware-bin + + + udeb + application/x-debian-package + + + ufd + application/vnd.ufdl + + + ufdl + application/vnd.ufdl + + + ulw + audio/basic + + + ulx + application/x-glulx + + + umj + application/vnd.umajin + + + unityweb + application/vnd.unity + + + uoml + application/vnd.uoml+xml + + + uri + text/uri-list + + + uris + text/uri-list + + + urls + text/uri-list + + + ustar + application/x-ustar + + + utz + application/vnd.uiq.theme + + + uu + text/x-uuencode + + + uva + audio/vnd.dece.audio + + + uvd + application/vnd.dece.data + + + uvf + application/vnd.dece.data + + + uvg + image/vnd.dece.graphic + + + uvh + video/vnd.dece.hd + + + uvi + image/vnd.dece.graphic + + + uvm + video/vnd.dece.mobile + + + uvp + video/vnd.dece.pd + + + uvs + video/vnd.dece.sd + + + uvt + application/vnd.dece.ttml+xml + + + uvu + video/vnd.uvvu.mp4 + + + uvv + video/vnd.dece.video + + + uvva + audio/vnd.dece.audio + + + uvvd + application/vnd.dece.data + + + uvvf + application/vnd.dece.data + + + uvvg + image/vnd.dece.graphic + + + uvvh + video/vnd.dece.hd + + + uvvi + image/vnd.dece.graphic + + + uvvm + video/vnd.dece.mobile + + + uvvp + video/vnd.dece.pd + + + uvvs + video/vnd.dece.sd + + + uvvt + application/vnd.dece.ttml+xml + + + uvvu + video/vnd.uvvu.mp4 + + + uvvv + video/vnd.dece.video + + + uvvx + application/vnd.dece.unspecified + + + uvvz + application/vnd.dece.zip + + + uvx + application/vnd.dece.unspecified + + + uvz + application/vnd.dece.zip + + + vcard + text/vcard + + + vcd + application/x-cdlink + + + vcf + text/x-vcard + + + vcg + application/vnd.groove-vcard + + + vcs + text/x-vcalendar + + + vcx + application/vnd.vcx + + + vis + application/vnd.visionary + + + viv + video/vnd.vivo + + + vob + video/x-ms-vob + + + vor + application/vnd.stardivision.writer + + + vox + + application/x-authorware-bin + + + vrml + model/vrml + + + vsd + application/vnd.visio + + + vsf + application/vnd.vsf + + + vss + application/vnd.visio + + + vst + application/vnd.visio + + + vsw + application/vnd.visio + + + vtu + model/vnd.vtu + + + vxml + application/voicexml+xml + + + w3d + application/x-director + + + wad + application/x-doom + + + wav + audio/x-wav + + + wax + audio/x-ms-wax + + + + wbmp + image/vnd.wap.wbmp + + + wbs + application/vnd.criticaltools.wbs+xml + + + wbxml + application/vnd.wap.wbxml + + + wcm + application/vnd.ms-works + + + wdb + application/vnd.ms-works + + + wdp + image/vnd.ms-photo + + + weba + audio/webm + + + webm + video/webm + + + webp + image/webp + + + wg + application/vnd.pmi.widget + + + wgt + application/widget + + + wks + application/vnd.ms-works + + + wm + video/x-ms-wm + + + wma + audio/x-ms-wma + + + wmd + application/x-ms-wmd + + + wmf + application/x-msmetafile + + + + wml + text/vnd.wap.wml + + + + wmlc + application/vnd.wap.wmlc + + + + wmls + text/vnd.wap.wmlscript + + + + wmlsc + application/vnd.wap.wmlscriptc + + + wmv + video/x-ms-wmv + + + wmx + video/x-ms-wmx + + + wmz + application/x-msmetafile + + + woff + font/woff + + + woff2 + font/woff2 + + + wpd + application/vnd.wordperfect + + + wpl + application/vnd.ms-wpl + + + wps + application/vnd.ms-works + + + wqd + application/vnd.wqd + + + wri + application/x-mswrite + + + wrl + model/vrml + + + wsdl + application/wsdl+xml + + + wspolicy + application/wspolicy+xml + + + wtb + application/vnd.webturbo + + + wvx + video/x-ms-wvx + + + x32 + application/x-authorware-bin + + + x3d + model/x3d+xml + + + x3db + model/x3d+binary + + + x3dbz + model/x3d+binary + + + x3dv + model/x3d+vrml + + + x3dvz + model/x3d+vrml + + + x3dz + model/x3d+xml + + + xaml + application/xaml+xml + + + xap + application/x-silverlight-app + + + xar + application/vnd.xara + + + xbap + application/x-ms-xbap + + + xbd + application/vnd.fujixerox.docuworks.binder + + + xbm + image/x-xbitmap + + + xdf + application/xcap-diff+xml + + + + xdm + application/vnd.syncml.dm+xml + + + xdp + application/vnd.adobe.xdp+xml + + + xdssc + application/dssc+xml + + + xdw + application/vnd.fujixerox.docuworks + + + xenc + application/xenc+xml + + + xer + application/patch-ops-error+xml + + + xfdf + application/vnd.adobe.xfdf + + + xfdl + application/vnd.xfdl + + + xht + application/xhtml+xml + + + xhtml + application/xhtml+xml + + + xhvml + application/xv+xml + + + xif + image/vnd.xiff + + + xla + application/vnd.ms-excel + + + xlam + application/vnd.ms-excel.addin.macroenabled.12 + + + xlc + application/vnd.ms-excel + + + xlf + application/x-xliff+xml + + + xlm + application/vnd.ms-excel + + + xls + application/vnd.ms-excel + + + xlsb + application/vnd.ms-excel.sheet.binary.macroenabled.12 + + + xlsm + application/vnd.ms-excel.sheet.macroenabled.12 + + + xlsx + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + + + xlt + application/vnd.ms-excel + + + xltm + application/vnd.ms-excel.template.macroenabled.12 + + + xltx + application/vnd.openxmlformats-officedocument.spreadsheetml.template + + + xlw + application/vnd.ms-excel + + + xm + audio/xm + + + xml + application/xml + + + xo + application/vnd.olpc-sugar + + + xop + application/xop+xml + + + xpi + application/x-xpinstall + + + xpl + application/xproc+xml + + + xpm + image/x-xpixmap + + + xpr + application/vnd.is-xpr + + + xps + application/vnd.ms-xpsdocument + + + xpw + application/vnd.intercon.formnet + + + xpx + application/vnd.intercon.formnet + + + xsl + application/xml + + + xslt + application/xslt+xml + + + xsm + application/vnd.syncml+xml + + + xspf + application/xspf+xml + + + xul + application/vnd.mozilla.xul+xml + + + xvm + application/xv+xml + + + xvml + application/xv+xml + + + xwd + image/x-xwindowdump + + + xyz + chemical/x-xyz + + + xz + application/x-xz + + + yang + application/yang + + + yin + application/yin+xml + + + z + application/x-compress + + + Z + application/x-compress + + + z1 + application/x-zmachine + + + z2 + application/x-zmachine + + + z3 + application/x-zmachine + + + z4 + application/x-zmachine + + + z5 + application/x-zmachine + + + z6 + application/x-zmachine + + + z7 + application/x-zmachine + + + z8 + application/x-zmachine + + + zaz + application/vnd.zzazz.deck+xml + + + zip + application/zip + + + zir + application/vnd.zul + + + zirz + application/vnd.zul + + + zmm + application/vnd.handheld-entertainment+xml + + + + + + + + + + + + + + + + + + index.html + index.htm + index.jsp + + + + + diff --git a/kubernetes/uui/templates/deployment.yaml b/kubernetes/uui/templates/deployment.yaml index 5d8c7b32b5..c9feacc1ba 100644 --- a/kubernetes/uui/templates/deployment.yaml +++ b/kubernetes/uui/templates/deployment.yaml @@ -16,39 +16,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) cd /config-input && for PFILE in `ls -1` do envsubst <${PFILE} >/config/${PFILE} done cat /config/server.xml - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: config-input - mountPath: /config @@ -56,7 +42,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -69,13 +54,8 @@ spec: ls -lh /opt/ echo "*** /opt/app" ls -lh /opt/app/ - echo "*** /opt/app/osaaf/" - ls -lh /opt/app/osaaf/ - echo "*** /opt/app/osaaf/local" - ls -lh /opt/app/osaaf/local/ /home/uui/uuiStartup.sh - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -90,12 +70,13 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.global.aafEnabled }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /home/uui/server.xml name: config subPath: server.xml - {{- end }} + - mountPath: /home/uui/web.xml + name: config + subPath: web.xml env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} @@ -106,14 +87,11 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - {{- if .Values.global.aafEnabled }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: config-input configMap: name: {{ include "common.fullname" . }} - name: config emptyDir: medium: Memory - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/templates/ingress.yaml b/kubernetes/uui/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/templates/ingress.yaml +++ b/kubernetes/uui/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/templates/service.yaml b/kubernetes/uui/templates/service.yaml index 222100d8c8..143f1c39d5 100644 --- a/kubernetes/uui/templates/service.yaml +++ b/kubernetes/uui/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,41 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-ui", - "version": "v1", - "url": "/usecase-ui", - "path":"/iui/usecaseui", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 55dc6a16ce..b7893bc0fa 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -17,40 +17,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: - uuiPortPrefix: 303 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: uui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} + nodePortPrefix: 302 subChartsOnly: enabled: true @@ -58,7 +25,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:5.1.1 +image: onap/usecase-ui:5.2.2 pullPolicy: Always # application configuration @@ -91,16 +58,33 @@ readiness: service: type: NodePort name: uui - portName: http - internalPort: 8443 - nodePort: 98 + internalPort: 8080 + nodePortPrefixOverride: 303 + ports: + - name: http + port: 8080 + nodePort: '98' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "usecaseui-ui", + "version": "v1", + "url": "/usecase-ui", + "path":"/iui/usecaseui", + "protocol": "UI", + "visualRange":"1", + "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}", + "enable_ssl": false + } + ]{{ end }} ingress: enabled: false service: - baseaddr: "uui-ui" name: "uui" - port: 8443 + port: 8080 config: ssl: "redirect" @@ -117,16 +101,16 @@ ingress: resources: small: limits: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" requests: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" large: limits: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/vfc/Chart.yaml b/kubernetes/vfc/Chart.yaml index cbc5bf4fe3..0965d00905 100644 --- a/kubernetes/vfc/Chart.yaml +++ b/kubernetes/vfc/Chart.yaml @@ -17,48 +17,48 @@ apiVersion: v2 description: ONAP Virtual Function Controller (VF-C) name: vfc -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: vfc-generic-vnfm-driver - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-generic-vnfm-driver' condition: vfc-generic-vnfm-driver.enabled - name: vfc-huawei-vnfm-driver - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-huawei-vnfm-driver' condition: vfc-huawei-vnfm-driver.enabled - name: vfc-nslcm - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-nslcm' condition: vfc-nslcm.enabled - name: vfc-redis - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-redis' condition: vfc-redis.enabled - name: vfc-vnflcm - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnflcm' condition: vfc-vnflcm.enabled - name: vfc-vnfmgr - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnfmgr' condition: vfc-vnfmgr.enabled - name: vfc-vnfres - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnfres' condition: vfc-vnfres.enabled - name: vfc-zte-vnfm-driver - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/vfc-zte-vnfm-driver' condition: vfc-zte-vnfm-driver.enabled diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml index 3655c82dbd..a8f441dce4 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - Generic VNFM Driver name: vfc-generic-vnfm-driver -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml index b5ab1fb93c..4cd1100988 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: "{{ .Values.log.path }}" - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfmdriver/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -92,14 +88,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml index 6a4a802028..c96712be4f 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml @@ -72,18 +72,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml index 2ca97f8722..37158d942d 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - Huawei VNFM Driver name: vfc-huawei-vnfm-driver -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml index f96d4d664b..ff22976b17 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml @@ -73,16 +73,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/hwvnfmdriver/config/log4j.properties subPath: log4j.properties - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -95,14 +91,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml index 32221692e3..040ad08694 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml @@ -74,18 +74,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 2000Mi + cpu: "200m" + memory: "2Gi" requests: - cpu: 100m - memory: 1000Mi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 400m - memory: 4000Mi + cpu: "400m" + memory: "4Gi" requests: - cpu: 200m - memory: 2000Mi + cpu: "200m" + memory: "2Gi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml b/kubernetes/vfc/components/vfc-nslcm/Chart.yaml index 51939a8107..3bef3a8743 100644 --- a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - NS Life Cycle Management name: vfc-nslcm -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml index f9faa7e845..88c322fef7 100644 --- a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/nslcm/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,14 +125,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-nslcm/values.yaml b/kubernetes/vfc/components/vfc-nslcm/values.yaml index 0cd3ce178a..48cce40822 100644 --- a/kubernetes/vfc/components/vfc-nslcm/values.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-redis/Chart.yaml b/kubernetes/vfc/components/vfc-redis/Chart.yaml index 9b53ef9ed5..84736f364b 100644 --- a/kubernetes/vfc/components/vfc-redis/Chart.yaml +++ b/kubernetes/vfc/components/vfc-redis/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - REDIS name: vfc-redis -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml b/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml index 787c62c3c5..02fc994599 100644 --- a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml @@ -55,8 +55,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -65,5 +64,4 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-redis/values.yaml b/kubernetes/vfc/components/vfc-redis/values.yaml index 1c6c4b4cce..60c95b9b7c 100644 --- a/kubernetes/vfc/components/vfc-redis/values.yaml +++ b/kubernetes/vfc/components/vfc-redis/values.yaml @@ -66,16 +66,16 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} \ No newline at end of file diff --git a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml b/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml index 79d77d0347..fe0ce9b4f9 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Life Cycle Management name: vfc-vnflcm -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml index 8c414ffc59..e915587a4f 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnflcm/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,14 +125,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnflcm/values.yaml b/kubernetes/vfc/components/vfc-vnflcm/values.yaml index fcad261817..bc22a32206 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/values.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml b/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml index 076155f01e..d5ec0cfc80 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Manager name: vfc-vnfmgr -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml index 9fcf9b923d..8dd9f57921 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnfmgr/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,9 +125,6 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig @@ -132,5 +132,4 @@ spec: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml b/kubernetes/vfc/components/vfc-vnfmgr/values.yaml index 528bbe0c01..31b5a66fd0 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -90,18 +92,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml b/kubernetes/vfc/components/vfc-vnfres/Chart.yaml index 2c9c14e7f9..be05a88d7a 100644 --- a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Resource Manager name: vfc-vnfres -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml index 5723b0f322..f4138d256f 100644 --- a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnfres/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -118,18 +121,13 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfres/values.yaml b/kubernetes/vfc/components/vfc-vnfres/values.yaml index c2954d5517..2c54249de4 100644 --- a/kubernetes/vfc/components/vfc-vnfres/values.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml index 6fb5a7d0c1..2511b5e587 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - ZTE VNFM Driver name: vfc-zte-vnfm-driver -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml index 855532ddf3..c58957c2a2 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/ztevnfmdriver/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -92,14 +88,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml index 258407b6ba..3588ba548e 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml @@ -72,18 +72,18 @@ ingress: resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 50m - memory: 250Mi + cpu: "50m" + memory: "200Mi" large: limits: - cpu: 200m - memory: 1000Mi + cpu: "200m" + memory: "1Gi" requests: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml index a0b69e0c94..05b7eb1fa3 100644 --- a/kubernetes/vfc/values.yaml +++ b/kubernetes/vfc/values.yaml @@ -30,6 +30,8 @@ global: persistence: mountPath: /dockerdata-nfs mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows VFC to instantiate its own mariadb-galera cluster localCluster: false service: mariadb-galera @@ -59,6 +61,10 @@ mariadb-galera: &localMariadb # password: externalSecret: *dbRootPassSecret nameOverride: &dbServer vfc-mariadb + service: + name: *dbServer + portName: *dbServer + internalPort: 3306 nfsprovisionerPrefix: vfc persistence: mountSubPath: vfc/data @@ -67,6 +73,9 @@ mariadb-galera: &localMariadb serviceAccount: nameOverride: *dbServer replicaCount: 1 + mariadbOperator: + galera: + enabled: false vfc-generic-vnfm-driver: enabled: true diff --git a/kubernetes/vid/.helmignore b/kubernetes/vid/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vid/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vid/Chart.yaml b/kubernetes/vid/Chart.yaml deleted file mode 100644 index 67eb0be0c4..0000000000 --- a/kubernetes/vid/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Virtual Infrastructure Deployment -name: vid -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vid/resources/config/db_cmd.sh b/kubernetes/vid/resources/config/db_cmd.sh deleted file mode 100755 index daa1f8b6ea..0000000000 --- a/kubernetes/vid/resources/config/db_cmd.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2018 AT&T -# Copyright © 2020 Aarna Networks -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DB={{index .Values "mariadb-galera" "db" "name" | upper }} -eval "MYSQL_USER=\$MYSQL_USER_${DB}" -eval "MYSQL_PASSWORD=\$MYSQL_PASSWORD_${DB}" - -#echo "Going to run mysql ${DB} -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} ..." -mysql -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} <<'EOD' -CREATE TABLE IF NOT EXISTS `{{index .Values "mariadb-galera" "db" "name" }}`.`schema_info` ( -`SCHEMA_ID` VARCHAR(25) NOT NULL, -`SCHEMA_DESC` VARCHAR(75) NOT NULL, -`DATASOURCE_TYPE` VARCHAR(100) NULL DEFAULT NULL, -`CONNECTION_URL` VARCHAR(200) NOT NULL, -`USER_NAME` VARCHAR(45) NOT NULL, -`PASSWORD` VARCHAR(45) NULL DEFAULT NULL, -`DRIVER_CLASS` VARCHAR(100) NOT NULL, -`MIN_POOL_SIZE` INT(11) NOT NULL, -`MAX_POOL_SIZE` INT(11) NOT NULL, -`IDLE_CONNECTION_TEST_PERIOD` INT(11) NOT NULL) -ENGINE = InnoDB -DEFAULT CHARACTER SET = utf8; -EOD - -if [ $? -ne 0 ];then - echo "ERROR: Failed to run cmd vid-pre-init.sql" - exit 1 -else - echo "INFO: Database initialized successfully" -fi diff --git a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml b/kubernetes/vid/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 9a721a885e..0000000000 --- a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/vid/resources/config/log/vid/logback.xml b/kubernetes/vid/resources/config/log/vid/logback.xml deleted file mode 100644 index 17af1c990f..0000000000 --- a/kubernetes/vid/resources/config/log/vid/logback.xml +++ /dev/null @@ -1,386 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${debugLoggerPattern} - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${applicationLoggerPattern} - - - - - - ${queueSize} - true - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${auditLoggerPattern} - - - - ${queueSize} - - true - - - - - - INVOKE - INVOKE-RETURN - - DENY - ACCEPT - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${metricsLoggerPattern} - - - - ${queueSize} - - true - - - - - ERROR - ACCEPT - NEUTRAL - - - WARN - ACCEPT - DENY - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${errorLoggerPattern} - - - - - ${queueSize} - - true - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - ${logDirectory}/${outgoingRequestsLogName}.log - - ${logDirectory}/${outgoingRequestsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/vid/templates/NOTES.txt b/kubernetes/vid/templates/NOTES.txt deleted file mode 100644 index a209ea8f29..0000000000 --- a/kubernetes/vid/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/vid/templates/configmap.yaml b/kubernetes/vid/templates/configmap.yaml deleted file mode 100644 index 5c423e61cc..0000000000 --- a/kubernetes/vid/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/vid/*").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-db-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/db_cmd.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml deleted file mode 100644 index 116a7cdfed..0000000000 --- a/kubernetes/vid/templates/deployment.yaml +++ /dev/null @@ -1,171 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export VID_TRUSTSTORE_PLAIN_PASSWORD=${VID_TRUSTSTORE_PASSWORD} - export VID_TRUSTSTORE_PASSWORD=`java -cp /usr/local/tomcat/webapps/vid/WEB-INF/lib/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password ${VID_TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - /tmp/vid/localize.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: ASDC_CLIENT_REST_HOST - value: sdc-be.{{ include "common.namespace" . }} - - name: ASDC_CLIENT_REST_AUTH - value: "{{ .Values.config.asdcclientrestauth }}" - - name: ASDC_CLIENT_REST_PORT - value: "{{ .Values.config.asdcclientrestport }}" - - name: ASDC_CLIENT_REST_PROTOCOL - value: "https" - - name: VID_AAI_URL - value: https://aai.{{ include "common.namespace" . }}:{{ .Values.config.vidaaiport }} - - name: VID_ECOMP_SHARED_CONTEXT_REST_URL - value: http://portal-app.{{ include "common.namespace" . }}:{{ .Values.config.onapport }}/ONAPPORTAL/context - - name: VID_MSO_SERVER_URL - value: http://so.{{ include "common.namespace" . }}:{{ .Values.config.msoport }}/onap/so/infra - - name: VID_MSO_PASS - value: "{{ .Values.config.vidmsopass }}" - - name: MSO_DME2_SERVER_URL - value: "{{ .Values.config.msodme2serverurl }}" - - name: MSO_DME2_ENABLED - value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - - name: VID_ECOMP_REDIRECT_URL - value: https://{{ .Values.config.portalhost }}:{{ .Values.config.onapport }}/ONAPPORTAL/login.htm - - name: VID_ECOMP_REST_URL - value: https://portal-app:{{ .Values.config.onapportrest }}/ONAPPORTAL/auxapi - - name: VID_ROLE_ACCESS_CENTRALIZED - value: "{{ .Values.config.roleaccesscentralized }}" - - name: VID_CONTACT_US_LINK - value: "{{ .Values.config.vidcontactuslink }}" - - name: VID_UEB_URL_LIST - value: message-router.{{ include "common.namespace" . }} - - name: VID_MYSQL_HOST - value: {{ include "common.mariadbService" . }} - - name: VID_MYSQL_PORT - value: "{{ include "common.mariadbPort" . }}" - - name: VID_MYSQL_DBNAME - value: {{ index .Values "mariadb-galera" "db" "name" }} - - name: VID_MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }} - - name: VID_MYSQL_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - - name: VID_MYSQL_MAXCONNECTIONS - value: "{{ .Values.config.vidmysqlmaxconnections }}" - {{- if .Values.global.aafEnabled }} - - name: VID_KEYSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks" - - name: VID_TRUSTSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: "{{ .Values.log.path }}" - name: vid-logs - - mountPath: /tmp/logback.xml - name: vid-logback - subPath: logback.xml - - mountPath: /opt/app/vid - name: vid-cache - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - {{ include "common.log.volumes" . | nindent 8 }} - - name: vid-cache - emptyDir: {} - - name: vid-logs - emptyDir: {} - - name: vid-logback - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vid/templates/ingress.yaml b/kubernetes/vid/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/vid/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml deleted file mode 100644 index 670838c6cf..0000000000 --- a/kubernetes/vid/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/vid/templates/service.yaml b/kubernetes/vid/templates/service.yaml deleted file mode 100644 index e62f64d366..0000000000 --- a/kubernetes/vid/templates/service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-http - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - ports: - - name: {{ .Values.service.portName }}-http - port: {{ .Values.service.externalHttpPort }} - targetPort: {{ .Values.service.internalHttpPort }} - protocol: TCP diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml deleted file mode 100644 index f2ca8143a3..0000000000 --- a/kubernetes/vid/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for vid. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - mariadbGalera: &mariadbGalera - #This flag allows VID to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: vid-db-user-secret - name: &dbUserSecretName '{{ include "common.release" . }}-vid-db-user-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: vid-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: vid - fqi: vid@vid.onap.org - public_fqdn: vid.onap.org - fqi_namespace: "org.onap.vid" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** retrieving password for keystore and trustore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - keytool -storepasswd -new "${TRUSTORE_PASSWD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - fi - -subChartsOnly: - enabled: true - -# application image -image: onap/vid:8.0.2 -pullPolicy: Always - -# application configuration -config: - db: - userName: vidadmin -# userCredentialsExternalSecret: some secret -# userPassword: password - asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" - asdcclientrestport: "8443" - vidaaiport: "8443" - onapport: "30225" - onapportrest: "8443" - portalhost: "portal.api.simpledemo.onap.org" - msoport: "8080" - vidmsopass: OBF:1ih71i271vny1yf41ymf1ylz1yf21vn41hzj1icz - msodme2serverurl: http://localhost:8081 - vidcontactuslink: https://todo_contact_us_link.com - vidmysqlmaxconnections: "5" - logstashServiceName: log-ls - logstashPort: 5044 - roleaccesscentralized: remote - -mariadb-galera: - db: - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName vid_openecomp_epsdk - nameOverride: &vid-galera vid-galera - replicaCount: 3 - persistence: - enabled: true - mountSubPath: vid/maria/data - externalConfig: |- - [mysqld] - lower_case_table_names = 1 - serviceAccount: - nameOverride: *vid-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: vid-mariadb-init - # A configMap of same name is created. It points to file that will be run after - # The DB has been created. - dbScriptConfigMap: '{{ include "common.release" . }}-vid-db-init' - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: vid - portName: vid - externalPort: 8443 - internalPort: 8443 - nodePort: "00" - externalHttpPort: 8080 - internalHttpPort: 8080 - -ingress: - enabled: false - service: - - baseaddr: "vid-ui" - name: "vid-http" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 200m - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - large: - limits: - cpu: 400m - memory: 4Gi - requests: - cpu: 200m - memory: 2Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/vnfsdk/Chart.yaml b/kubernetes/vnfsdk/Chart.yaml index 1c67281798..bf0dbe6640 100644 --- a/kubernetes/vnfsdk/Chart.yaml +++ b/kubernetes/vnfsdk/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP VNF SDK name: vnfsdk -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf index d26cc5d813..9d7aa78b36 100644 --- a/kubernetes/vnfsdk/resources/nginx/nginx.conf +++ b/kubernetes/vnfsdk/resources/nginx/nginx.conf @@ -38,16 +38,8 @@ http { error_log /var/log/nginx/error.log; server { - listen *:8703 ssl; - server_name - ssl on; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_session_cache builtin:1000 shared:SSL:80m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; - ssl_prefer_server_ciphers on; - ssl_session_timeout 10m; + listen {{ .Values.service.internalPort }}; + server_name {{ .Values.service.name }}; keepalive_timeout 70; location / { diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index 89eba2f360..bf9ad3e031 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,26 +17,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: @@ -54,28 +43,14 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - command: - - /app/ready.py - args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} - resources: -{{ include "common.resources" . | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + ports: {{ include "common.containerPorts" . | nindent 8 }} + resources: {{ include "common.resources" . | nindent 10 }} + volumeMounts: - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml name: init-data subPath: configuration.xml @@ -87,9 +62,8 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + volumes: - name: init-data-input configMap: name: {{ include "common.fullname" . }} diff --git a/kubernetes/vnfsdk/templates/ingress.yaml b/kubernetes/vnfsdk/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/vnfsdk/templates/ingress.yaml +++ b/kubernetes/vnfsdk/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml index 7c320fc86f..a6966a7708 100644 --- a/kubernetes/vnfsdk/templates/job.yaml +++ b/kubernetes/vnfsdk/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,8 +38,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -48,6 +49,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -66,8 +74,8 @@ spec: - name: init-data mountPath: /aaa/init/marketplace_tables_postgres.sql subPath: marketplace_tables_postgres.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} volumes: - name: init-data configMap: diff --git a/kubernetes/vnfsdk/templates/service.yaml b/kubernetes/vnfsdk/templates/service.yaml index 25786bd7ad..6127b2b373 100644 --- a/kubernetes/vnfsdk/templates/service.yaml +++ b/kubernetes/vnfsdk/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modification © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,27 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName | default "http" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index a19f15d991..723dfc3b4f 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,37 +34,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: refrepo-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: refrepo - fqi: refrepo@refrepo.onap.org - fqi_namespace: org.onap.refrepo - public_fqdn: refrepo.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - echo "keystore password: $$cadi_keystore_password_p12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership of certificates to targeted user" - chown -R 999 {{ .Values.credsPath }}/certs - - ################################################################# # Application configuration defaults. ################################################################# @@ -104,18 +74,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2000m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4000m" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1000m" + memory: "2Gi" unlimited: {} # probe configuration parameters @@ -133,9 +103,11 @@ readiness: service: type: NodePort name: refrepo - portName: https - nodePort: 97 internalPort: 8703 + ports: + - name: http + port: 8703 + nodePort: '97' ingress: enabled: false @@ -145,3 +117,12 @@ ingress: port: 8703 config: ssl: "redirect" + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' diff --git a/requirements.txt b/requirements.txt index a849267b23..b5cdcc0c10 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,7 @@ PyEnchant pylint autopep8 gitlint-core +sh==1.14.3 sphinxcontrib-blockdiag sphinxcontrib-seqdiag sphinxcontrib-swaggerdoc diff --git a/tox.ini b/tox.ini index d90f545f92..253cb6b423 100644 --- a/tox.ini +++ b/tox.ini @@ -15,7 +15,7 @@ ignore-path-errors=docs/helm-search.txt;D001 basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = - doc8 docs/ @@ -24,28 +24,36 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt +allowlist_externals = sudo commands = - sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html + sudo apt install graphviz + sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html [testenv:docs-linkcheck] basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck [testenv:spelling] basepython = python3.8 -whitelist_externals = wget +allowlist_externals = + wget + sudo deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt changedir={toxinidir}/docs commands = + sudo apt install graphviz wget -nv https://git.onap.org/doc/plain/docs/spelling_wordlist.txt -O spelling_wordlist.txt sphinx-build -b spelling -d {envtmpdir}/doctrees . _build/spelling @@ -53,14 +61,14 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = gitlint [testenv:checkbashisms] deps = -whitelist_externals = +allowlist_externals = {toxinidir}/.ci/check-bashisms.sh commands = {toxinidir}/.ci/check-bashisms.sh @@ -68,7 +76,7 @@ commands = [testenv:shellcheck] basepython = python3 deps = shellcheck-py -whitelist_externals = find +allowlist_externals = find commands = find . -not -path '*/\.*' -name *.sh -exec shellcheck \{\} + @@ -76,7 +84,7 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = autopep8 --max-line-length 120 --in-place --recursive kubernetes/ TOSCA/ docs/ @@ -85,9 +93,9 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -whitelist_externals = find +allowlist_externals = find commands = find kubernetes/ TOSCA/ docs/ -name *.py -exec pylint --max-line-length=120 --disable=missing-docstring --method-rgx="(([a-z_][a-zA-Z0-9_]{2,})|(_[a-z0-9_]*)|(__[a-zA-Z][a-zA-Z0-9_]+__))$" --variable-rgx="[a-zA-Z_][a-zA-Z0-9_]{1,30}$" --reports=y --score=y --output-format=colorized \{\} +